Fix phpGH-17139: Fix zip_entry_name() crash on invalid entry.

Increasing the GC refcount when reading the zip entry before zip_entry_name() fetches the info, leading to a dangling pointer otherwise.
devnexen · Dec 13, 2024 · 24c2694 · 24c2694
1 parent e7af08d
commit 24c2694
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
@@ -1257,6 +1257,7 @@ PHP_FUNCTION(zip_read)
 
 		zr_rsrc->zf = zip_fopen_index(rsrc_int->za, rsrc_int->index_current, 0);
 		if (zr_rsrc->zf) {
+			Z_ADDREF_P(zip_dp);
 			rsrc_int->index_current++;
 			RETURN_RES(zend_register_resource(zr_rsrc, le_zip_entry));
 		} else {

diff --git a/ext/zip/tests/gh17139.phpt b/ext/zip/tests/gh17139.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-17139 - zip_entry_name() crash
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+$zip = zip_open(__DIR__."/test_procedural.zip");
+if (!is_resource($zip)) die("Failure");
+// no need to bother looping over, the entry name should point to a dangling address from the first iteration
+$zip = zip_read($zip);
+var_dump(zip_entry_name($zip));
+?>
+--EXPECTF--
+Deprecated: Function zip_open() is deprecated in %s on line %d
+
+Deprecated: Function zip_read() is deprecated in %s on line %d
+
+Deprecated: Function zip_entry_name() is deprecated in %s on line %d
+string(3) "foo"