smalyshev · January 17, 2016 04:45
diff --git a/71391.diff b/71391.diff
 commit 1c1b8b69982375700d4b011eb89ea48b66dbd5aa
 Author: Stanislav Malyshev <[email protected]>
 Date:   Sat Jan 16 20:43:43 2016 -0800

    Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()

 diff --git a/ext/phar/tar.c b/ext/phar/tar.c
 index 34ef0ef..5f26805 100644
 --- a/ext/phar/tar.c
 +++ b/ext/phar/tar.c
 @@ -880,6 +880,9 @@ static int phar_tar_setupmetadata(void *pDest, void *argument TSRMLS_DC) /* {{{
 
 	if (entry->filename_len >= sizeof(".phar/.metadata") && !memcmp(entry->filename, ".phar/.metadata", sizeof(".phar/.metadata")-1)) {
 		if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) {
 +			if (entry->phar->metadata == NULL) {
 +				return ZEND_HASH_APPLY_REMOVE;
 +			}
 			return phar_tar_setmetadata(entry->phar->metadata, entry, error TSRMLS_CC);
 		}
 		/* search for the file this metadata entry references */
 diff --git a/ext/phar/tests/bug71391.phpt b/ext/phar/tests/bug71391.phpt
 new file mode 100644
 index 0000000..b8d84f5
 --- /dev/null
 +++ b/ext/phar/tests/bug71391.phpt
 @@ -0,0 +1,18 @@
 +--TEST--
 +Phar: bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
 +--SKIPIF--
 +<?php if (!extension_loaded("phar")) die("skip"); ?>
 +--FILE--
 +<?php
 +// duplicate since the tar will change
 +copy(__DIR__."/bug71391.tar", __DIR__."/bug71391.test.tar");
 +$p = new PharData(__DIR__."/bug71391.test.tar");
 +$p->delMetaData();
 +?>
 +DONE
 +--CLEAN--
 +<?php 
 +unlink(__DIR__."/bug71391.test.tar");
 +?>
 +--EXPECT--
 +DONE
 \ No newline at end of file
 diff --git a/ext/phar/tests/bug71391.tar b/ext/phar/tests/bug71391.tar
 new file mode 100644
 index 0000000..a5b155a
 Binary files /dev/null and b/ext/phar/tests/bug71391.tar differ
	commit 1c1b8b69982375700d4b011eb89ea48b66dbd5aa
	Author: Stanislav Malyshev <[email protected]>
	Date: Sat Jan 16 20:43:43 2016 -0800

	Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()

	diff --git a/ext/phar/tar.c b/ext/phar/tar.c
	index 34ef0ef..5f26805 100644
	--- a/ext/phar/tar.c
	+++ b/ext/phar/tar.c
	@@ -880,6 +880,9 @@ static int phar_tar_setupmetadata(void pDest, void argument TSRMLS_DC) /* {{{

	if (entry->filename_len >= sizeof(".phar/.metadata") && !memcmp(entry->filename, ".phar/.metadata", sizeof(".phar/.metadata")-1)) {
	if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) {
	+ if (entry->phar->metadata == NULL) {
	+ return ZEND_HASH_APPLY_REMOVE;
	+ }
	return phar_tar_setmetadata(entry->phar->metadata, entry, error TSRMLS_CC);
	}
	/* search for the file this metadata entry references */
	diff --git a/ext/phar/tests/bug71391.phpt b/ext/phar/tests/bug71391.phpt
	new file mode 100644
	index 0000000..b8d84f5
	--- /dev/null
	+++ b/ext/phar/tests/bug71391.phpt
	@@ -0,0 +1,18 @@
	+--TEST--
	+Phar: bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
	+--SKIPIF--
	+<?php if (!extension_loaded("phar")) die("skip"); ?>
	+--FILE--
	+<?php
	+// duplicate since the tar will change
	+copy(__DIR__."/bug71391.tar", __DIR__."/bug71391.test.tar");
	+$p = new PharData(__DIR__."/bug71391.test.tar");
	+$p->delMetaData();
	+?>
	+DONE
	+--CLEAN--
	+<?php
	+unlink(__DIR__."/bug71391.test.tar");
	+?>
	+--EXPECT--
	+DONE
	\ No newline at end of file
	diff --git a/ext/phar/tests/bug71391.tar b/ext/phar/tests/bug71391.tar
	new file mode 100644
	index 0000000..a5b155a
	Binary files /dev/null and b/ext/phar/tests/bug71391.tar differ