From 432bf196d59bcb661fcf9cb7029cea9b43f490af Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 27 Sep 2022 17:43:40 +0200 Subject: [PATCH] Fix regression introduced by fixing bug 81726 When a tar phar is created, `phar_open_from_fp()` is also called, but since the file has just been created, none of the format checks can succeed, so we continue to loop, but must not check again for the format. Therefore, we bring back the old `test` variable. Closes GH-9620. --- ext/phar/phar.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 4a761ef7998..ecab9162faf 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -1584,7 +1584,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char const char zip_magic[] = "PK\x03\x04"; const char gz_magic[] = "\x1f\x8b\x08"; const char bz_magic[] = "BZh"; - char *pos; + char *pos, test = '\0'; int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion const int window_size = 1024; char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ @@ -1613,7 +1613,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)") } - if (recursion_count) { + if (!test && recursion_count) { + test = '\1'; pos = buffer+tokenlen; if (!memcmp(pos, gz_magic, 3)) { char err = 0; @@ -1673,6 +1674,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char compression = PHAR_FILE_COMPRESSED_GZ; /* now, start over */ + test = '\0'; if (!--recursion_count) { MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\""); break; @@ -1714,6 +1716,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char compression = PHAR_FILE_COMPRESSED_BZ2; /* now, start over */ + test = '\0'; if (!--recursion_count) { MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\""); break;