1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
From bdf9d2ee3a565fef3160690d7a0dd06218e6efc0 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 14 Jul 2020 17:04:24 +0200
Subject: [PATCH] Fix #79797: Use of freed hash key in the phar_parse_zipfile
function
We must not use heap memory after we freed it.
(cherry picked from commit 7355ab81763a3d6a04ac11660e6a16d58838d187)
---
NEWS | 6 ++++++
ext/phar/tests/bug79797.phar | Bin 0 -> 274 bytes
ext/phar/tests/bug79797.phpt | 14 ++++++++++++++
ext/phar/zip.c | 2 +-
4 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 ext/phar/tests/bug79797.phar
create mode 100644 ext/phar/tests/bug79797.phpt
diff --git a/NEWS b/NEWS
index 19fbb3adf2..69361ae49a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 7.2.33
+
+- Phar:
+ . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
+ function). (CVE-2020-7068) (cmb)
+
Backported from 7.2.31
- Core:
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index d615e8adda..50c5d69e9b 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -703,7 +703,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
efree(actual_alias);
}
- zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata);
+ zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), mydata->alias, mydata->alias_len, mydata);
} else {
phar_archive_data *fd_ptr;
|