From 44edde535a4868c7fbd7c95702d945e2fb02dfa8 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 17 Oct 2025 23:18:04 +0200 Subject: [PATCH] phar: Fix memory leak when openssl polyfill returns garbage --- ...sl_sign_invalid_polyfill_return_value.phpt | 34 +++++++++++++++++++ ext/phar/util.c | 4 ++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 ext/phar/tests/openssl_sign_invalid_polyfill_return_value.phpt diff --git a/ext/phar/tests/openssl_sign_invalid_polyfill_return_value.phpt b/ext/phar/tests/openssl_sign_invalid_polyfill_return_value.phpt new file mode 100644 index 0000000000000..37c14188edf98 --- /dev/null +++ b/ext/phar/tests/openssl_sign_invalid_polyfill_return_value.phpt @@ -0,0 +1,34 @@ +--TEST-- +openssl_sign() polyfill with wrong return value +--EXTENSIONS-- +phar +--SKIPIF-- + +--INI-- +phar.require_hash=0 +--FILE-- +setSignatureAlgorithm(Phar::OPENSSL, "randomcrap"); +try { + $phar->addEmptyDir('blah'); +} catch (PharException $e) { + echo $e->getMessage(); +} + +?> +--CLEAN-- + +--EXPECTF-- +phar error: unable to write signature to tar-based phar: unable to write phar "%s" with requested openssl signature diff --git a/ext/phar/util.c b/ext/phar/util.c index 416aa1dcd7b03..c69f830e62805 100644 --- a/ext/phar/util.c +++ b/ext/phar/util.c @@ -1471,7 +1471,6 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t zval_ptr_dtor_str(&zp[2]); switch (Z_TYPE(retval)) { - default: case IS_LONG: zval_ptr_dtor(&zp[1]); if (1 == Z_LVAL(retval)) { @@ -1483,6 +1482,9 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t *signature_len = Z_STRLEN(zp[1]); zval_ptr_dtor(&zp[1]); return SUCCESS; + default: + zval_ptr_dtor(&retval); + ZEND_FALLTHROUGH; case IS_FALSE: zval_ptr_dtor(&zp[1]); return FAILURE;