Merge branch 'PHP-8.5'

devnexen · devnexen · commit 77925b971add · 2026-03-05T22:32:38.000Z
* PHP-8.5: Fix GH-21333: use-after-free when unlinking entries during iteration of a compressed phar.
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
@@ -2405,7 +2405,7 @@ static int phar_flush_clean_deleted_apply(zval *zv) /* {{{ */
 {
 	phar_entry_info *entry = (phar_entry_info *)Z_PTR_P(zv);
 
-	if (entry->fp_refcount <= 0 && entry->is_deleted) {
+	if (entry->is_deleted && phar_entry_can_remove(entry)) {
 		return ZEND_HASH_APPLY_REMOVE;
 	} else {
 		return ZEND_HASH_APPLY_KEEP;
diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
@@ -400,6 +400,11 @@ static inline void phar_set_inode(phar_entry_info *entry) /* {{{ */
 }
 /* }}} */
 
+static inline bool phar_entry_can_remove(phar_entry_info *entry)
+{
+	return entry->fp_refcount == 0 && entry->fileinfo_lock_count == 0;
+}
+
 void phar_request_initialize(void);
 
 void phar_object_init(void);
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
@@ -726,7 +726,7 @@ static int phar_tar_writeheaders_int(phar_entry_info *entry, void *argument) /*
 	}
 
 	if (entry->is_deleted) {
-		if (entry->fp_refcount <= 0 && entry->fileinfo_lock_count == 0) {
+		if (phar_entry_can_remove(entry)) {
 			return ZEND_HASH_APPLY_REMOVE;
 		} else {
 			/* we can't delete this in-memory until it is closed */
diff --git a/ext/phar/tests/gh21333.phpt b/ext/phar/tests/gh21333.phpt
@@ -0,0 +1,38 @@
+--TEST--
+GH-21333 (UAF when unlinking entries during iteration of a compressed phar)
+--CREDITS--
+YuanchengJiang
+--EXTENSIONS--
+phar
+zlib
+--INI--
+phar.readonly=0
+--FILE--
+<?php
+$phar_path = __DIR__ . "/gh21333.phar";
+$phar = new Phar($phar_path);
+$phar->addFromString("file", "initial_content");
+$phar->addEmptyDir("dir");
+
+$phar2 = $phar->compress(Phar::GZ);
+
+$tmp_src = __DIR__ . "/gh21333.tmp";
+file_put_contents($tmp_src, str_repeat("A", 100));
+
+foreach ($phar2 as $item) {
+    @copy($tmp_src, $item);
+    @unlink($item);
+}
+
+$garbage = get_defined_vars();
+
+echo "Done\n";
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . "/gh21333.phar");
+@unlink(__DIR__ . "/gh21333.phar.gz");
+@unlink(__DIR__ . "/gh21333.tmp");
+?>
+--EXPECT--
+Done
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
@@ -851,7 +851,7 @@ static int phar_zip_changed_apply_int(phar_entry_info *entry, void *arg) /* {{{
 	}
 
 	if (entry->is_deleted) {
-		if (entry->fp_refcount <= 0 && entry->fileinfo_lock_count == 0) {
+		if (phar_entry_can_remove(entry)) {
 			return ZEND_HASH_APPLY_REMOVE;
 		} else {
 			/* we can't delete this in-memory until it is closed */

Original file line number	Diff line number	Diff line change
`@@ -2405,7 +2405,7 @@ static int phar_flush_clean_deleted_apply(zval zv) / {{{ */`
`2405`	`2405`	`{`
`2406`	`2406`	`phar_entry_info entry = (phar_entry_info )Z_PTR_P(zv);`
`2407`	`2407`
`2408`		`- if (entry->fp_refcount <= 0 && entry->is_deleted) {`
	`2408`	`+ if (entry->is_deleted && phar_entry_can_remove(entry)) {`
`2409`	`2409`	`return ZEND_HASH_APPLY_REMOVE;`
`2410`	`2410`	`} else {`
`2411`	`2411`	`return ZEND_HASH_APPLY_KEEP;`
Original file line number	Diff line number	Diff line change
`@@ -726,7 +726,7 @@ static int phar_tar_writeheaders_int(phar_entry_info entry, void argument) /*`
`726`	`726`	`}`
`727`	`727`
`728`	`728`	`if (entry->is_deleted) {`
`729`		`- if (entry->fp_refcount <= 0 && entry->fileinfo_lock_count == 0) {`
	`729`	`+ if (phar_entry_can_remove(entry)) {`
`730`	`730`	`return ZEND_HASH_APPLY_REMOVE;`
`731`	`731`	`} else {`
`732`	`732`	`/* we can't delete this in-memory until it is closed */`
Original file line number	Diff line number	Diff line change
`@@ -851,7 +851,7 @@ static int phar_zip_changed_apply_int(phar_entry_info entry, void arg) /* {{{`
`851`	`851`	`}`
`852`	`852`
`853`	`853`	`if (entry->is_deleted) {`
`854`		`- if (entry->fp_refcount <= 0 && entry->fileinfo_lock_count == 0) {`
	`854`	`+ if (phar_entry_can_remove(entry)) {`
`855`	`855`	`return ZEND_HASH_APPLY_REMOVE;`
`856`	`856`	`} else {`
`857`	`857`	`/* we can't delete this in-memory until it is closed */`