Merge branch 'PHP-8.5'

devnexen · devnexen · commit 0e3480663493 · 2026-05-19T22:58:33.000+01:00
* PHP-8.5: Fix GH-21986: PharData::getContent() crash on infinite recursion with symlinks.
diff --git a/ext/phar/tests/tar/gh21986.phpt b/ext/phar/tests/tar/gh21986.phpt
@@ -0,0 +1,43 @@
+--TEST--
+GH-21986 (PharData::getContent() crash on circular symlink chain in tar)
+--EXTENSIONS--
+phar
+--FILE--
+<?php
+function tar_symlink($name, $target) {
+    $h  = str_pad($name, 100, "\0");
+    $h .= "0000777\0";
+    $h .= "0000000\0";
+    $h .= "0000000\0";
+    $h .= "00000000000\0";
+    $h .= "00000000000\0";
+    $h .= str_repeat(' ', 8);
+    $h .= '2';
+    $h .= str_pad($target, 100, "\0");
+    $h .= "ustar\0" . "00";
+    $h  = str_pad($h, 512, "\0");
+
+    $sum = 0;
+    for ($i = 0; $i < 512; $i++) {
+        $sum += ord($h[$i]);
+    }
+    return substr_replace($h, sprintf("%06o\0 ", $sum), 148, 8);
+}
+
+$tar = __DIR__ . '/gh21986.tar';
+file_put_contents(
+    $tar,
+    tar_symlink('a.txt', 'b.txt') .
+    tar_symlink('b.txt', 'a.txt') .
+    str_repeat("\0", 1024)
+);
+
+$phar = new PharData($tar);
+var_dump($phar['a.txt']->getContent());
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/gh21986.tar');
+?>
+--EXPECT--
+string(0) ""
diff --git a/ext/phar/util.c b/ext/phar/util.c
@@ -66,23 +66,34 @@ static zend_string *phar_get_link_location(phar_entry_info *entry) /* {{{ */
 phar_entry_info *phar_get_link_source(phar_entry_info *entry) /* {{{ */
 {
 	phar_entry_info *link_entry;
+	uint32_t depth = 0, max_depth;
 
 	if (!entry->symlink) {
 		return entry;
 	}
 
-	link_entry = zend_hash_find_ptr(&(entry->phar->manifest), entry->symlink);
-	if (link_entry) {
-		return phar_get_link_source(link_entry);
-	}
+	max_depth = zend_hash_num_elements(&(entry->phar->manifest));
+
+	while (entry->symlink) {
+		if (UNEXPECTED(++depth > max_depth)) {
+			return NULL;
+		}
+		zend_string *link = phar_get_link_location(entry);
 
-	zend_string *link = phar_get_link_location(entry);
-	link_entry = zend_hash_find_ptr(&(entry->phar->manifest), link);
-	zend_string_release(link);
-	if (link_entry) {
-		return phar_get_link_source(link_entry);
+		if (NULL != (link_entry = zend_hash_find_ptr(&(entry->phar->manifest), entry->symlink)) ||
+			NULL != (link_entry = zend_hash_find_ptr(&(entry->phar->manifest), link))) {
+			if (link != entry->symlink) {
+				zend_string_release(link);
+			}
+			entry = link_entry;
+		} else {
+			if (link != entry->symlink) {
+				zend_string_release(link);
+			}
+			return NULL;
+		}
 	}
-	return NULL;
+	return entry;
 }
 /* }}} */
 
