From 24c26944391cdcba31c95f4fea4386f4f75bc742 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 13 Dec 2024 09:19:09 +0000
Subject: [PATCH] Fix GH-17139: Fix zip_entry_name() crash on invalid entry.

Increasing the GC refcount when reading the zip entry before
zip_entry_name() fetches the info, leading to a dangling pointer
otherwise.
---
 ext/zip/php_zip.c          |  1 +
 ext/zip/tests/gh17139.phpt | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 ext/zip/tests/gh17139.phpt

diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index 0c1dfaf5dd131..8eb8468edd385 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -1257,6 +1257,7 @@ PHP_FUNCTION(zip_read)
 
 		zr_rsrc->zf = zip_fopen_index(rsrc_int->za, rsrc_int->index_current, 0);
 		if (zr_rsrc->zf) {
+			Z_ADDREF_P(zip_dp);
 			rsrc_int->index_current++;
 			RETURN_RES(zend_register_resource(zr_rsrc, le_zip_entry));
 		} else {
diff --git a/ext/zip/tests/gh17139.phpt b/ext/zip/tests/gh17139.phpt
new file mode 100644
index 0000000000000..da53c62002419
--- /dev/null
+++ b/ext/zip/tests/gh17139.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-17139 - zip_entry_name() crash
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+$zip = zip_open(__DIR__."/test_procedural.zip");
+if (!is_resource($zip)) die("Failure");
+// no need to bother looping over, the entry name should point to a dangling address from the first iteration
+$zip = zip_read($zip);
+var_dump(zip_entry_name($zip));
+?>
+--EXPECTF--
+Deprecated: Function zip_open() is deprecated in %s on line %d
+
+Deprecated: Function zip_read() is deprecated in %s on line %d
+
+Deprecated: Function zip_entry_name() is deprecated in %s on line %d
+string(3) "foo"