Merge branch 'PHP-8.3' into PHP-8.4

nielsdos · nielsdos · commit c3d17d93d3ee · 2025-10-01T10:47:28.000+02:00
* PHP-8.3:
  Fix memory leak and invalid continuation after tar header writing fails
diff --git a/NEWS b/NEWS
@@ -39,6 +39,10 @@ PHP                                                                        NEWS
     (Arnaud)
   . Fixed bug GH-19831 (function JIT may not deref property value). (Arnaud)
 
+- Phar:
+  . Fix memory leak and invalid continuation after tar header writing fails.
+    (nielsdos)
+
 - SimpleXML:
   . Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)).
     (nielsdos)
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
@@ -1170,7 +1170,16 @@ void phar_tar_flush(phar_archive_data *phar, zend_string *user_stub, bool is_def
 	}
 
 	zend_hash_apply_with_argument(&phar->manifest, phar_tar_writeheaders, (void *) &pass);
-	/* TODO: memory leak and incorrect continuation if phar_tar_writeheaders fails? */
+
+	if (error && *error) {
+		if (closeoldfile) {
+			php_stream_close(oldfile);
+		}
+
+		/* on error in the hash iterator above, error is set */
+		php_stream_close(newfile);
+		return EOF;
+	}
 
 	/* add signature for executable tars or tars explicitly set with setSignatureAlgorithm */
 	if (!phar->is_data || phar->sig_flags) {
diff --git a/ext/phar/tests/tar_flush_too_long_filename.phpt b/ext/phar/tests/tar_flush_too_long_filename.phpt
@@ -0,0 +1,41 @@
+--TEST--
+Tar flush with too long file name
+--EXTENSIONS--
+phar
+--SKIPIF--
+<?php
+if (getenv('SKIP_SLOW_TESTS')) die('skip');
+if (function_exists('openssl_sign')) die('skip requires openssl disabled for mocking purposes');
+?>
+--INI--
+phar.require_hash=0
+--FILE--
+<?php
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.tar';
+
+// Mock sign to fail at second invocation, tricks failure in phar_create_signature()
+function openssl_sign() {
+    static $counter = 0;
+    $counter++;
+    if ($counter === 2) {
+        return false;
+    }
+    return true;
+}
+
+$phar = new PharData($fname);
+$phar->addEmptyDir('blah1/');
+$phar->setSignatureAlgorithm(Phar::OPENSSL, "randomcrap");
+try {
+    $phar->addEmptyDir('blah2/' . str_repeat('X', 1000));
+} catch (PharException $e) {
+    echo $e->getMessage();
+}
+
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.tar');
+?>
+--EXPECTF--
+tar-based phar "%s" cannot be created, filename "%s" is too long for tar file format
