Fix #77919: Potential UAF in Phar RSHUTDOWN

cmb69 · cmb69 · commit e204df55ac10 · 2019-07-30T09:14:05.000+02:00
We have to properly clean up in case phar_flush() is failing. We also make the expectation of the respective test case less liberal to avoid missing such bugs in the future. (cherry picked from commit cd1101e)
diff --git a/NEWS b/NEWS
@@ -11,6 +11,9 @@ PHP                                                                        NEWS
 - OPcache:
   . Fixed bug #78341 (Failure to detect smart branch in DFA pass). (Nikita)
 
+- Phar:
+  . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
+
 - Phpdbg:
   . Fixed bug #78297 (Include unexistent file memory leak). (Nikita)
 
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -1990,7 +1990,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext) /*
 	char *newname = NULL, *newpath = NULL;
 	zval ret, arg1;
 	zend_class_entry *ce;
-	char *error;
+	char *error = NULL;
 	const char *pcr_error;
 	size_t ext_len = ext ? strlen(ext) : 0;
 	size_t new_len, oldname_len, phar_ext_len;
@@ -2200,6 +2200,8 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext) /*
 	phar_flush(phar, 0, 0, 1, &error);
 
 	if (error) {
+		zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len);
+		*sphar = NULL;
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error);
 		efree(error);
 		efree(oldpath);
diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
@@ -15,4 +15,7 @@ DONE
 ?>
 --EXPECTF--
 Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d
-Stack trace:%A
+Stack trace:
+#0 %s(%d): PharData->decompress('test')
+#1 {main}
+  thrown in %s on line %d
