phar: cap decompression output against declared uncompressed_filesize

iliaal · iliaal · commit 9ebd95b4788d · 2026-04-18T12:55:11.000-04:00
phar_open_entry_fp() decompressed entries by streaming
compressed_filesize bytes through a filter into a tmpfile, then
checked output size after the full copy. A crafted phar whose
compressed data expanded beyond uncompressed_filesize could write
large amounts to disk before the check ran.

Replace the single php_stream_copy_to_stream_ex() call with an 8 KiB
chunked loop that flushes the decompression filter and checks running
output size after each chunk. Abort when output exceeds
uncompressed_filesize.
diff --git a/ext/phar/tests/gh-ss012-decomp-bounds.phpt b/ext/phar/tests/gh-ss012-decomp-bounds.phpt
@@ -0,0 +1,26 @@
+--TEST--
+phar decompression: compressed entry round-trips correctly
+--EXTENSIONS--
+phar
+zlib
+--INI--
+phar.readonly=0
+--FILE--
+<?php
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar';
+$pname = 'phar://' . $fname;
+
+$phar = new Phar($fname);
+$phar['entry.txt'] = 'hello world';
+$phar['entry.txt']->compress(Phar::GZ);
+
+echo file_get_contents($pname . '/entry.txt') . "\n";
+echo "no crash";
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar');
+?>
+--EXPECT--
+hello world
+no crash
diff --git a/ext/phar/util.c b/ext/phar/util.c
@@ -926,10 +926,25 @@ zend_result phar_open_entry_fp(phar_entry_info *entry, char **error, int follow_
 	php_stream_seek(phar_get_entrypfp(entry), phar_get_fp_offset(entry), SEEK_SET);
 
 	if (entry->uncompressed_filesize) {
-		if (SUCCESS != php_stream_copy_to_stream_ex(phar_get_entrypfp(entry), ufp, entry->compressed_filesize, NULL)) {
-			spprintf(error, 4096, "phar error: internal corruption of phar \"%s\" (actual filesize mismatch on file \"%s\")", phar->fname, entry->filename);
-			php_stream_filter_remove(filter, 1);
-			return FAILURE;
+		size_t remaining = entry->compressed_filesize;
+		while (remaining > 0) {
+			size_t chunk = remaining < 8192 ? remaining : 8192;
+			size_t n = 0;
+			if (SUCCESS != php_stream_copy_to_stream_ex(phar_get_entrypfp(entry), ufp, chunk, &n)) {
+				spprintf(error, 4096, "phar error: internal corruption of phar \"%s\" (actual filesize mismatch on file \"%s\")", phar->fname, entry->filename);
+				php_stream_filter_remove(filter, 1);
+				return FAILURE;
+			}
+			if (n == 0) {
+				break;
+			}
+			remaining -= n;
+			php_stream_filter_flush(filter, 0);
+			if (php_stream_tell(ufp) - loc > (zend_off_t) entry->uncompressed_filesize) {
+				spprintf(error, 4096, "phar error: internal corruption of phar \"%s\" (actual filesize mismatch on file \"%s\")", phar->fname, entry->filename);
+				php_stream_filter_remove(filter, 1);
+				return FAILURE;
+			}
 		}
 	}
 
