Merge branch 'PHP-8.5'

LamentXU123 · LamentXU123 · commit d1ffc25a303e · 2026-06-18T23:06:49.000+08:00
* PHP-8.5: ext/phar: Fix ZIP extra field length underflow (#22330)
diff --git a/NEWS b/NEWS
@@ -164,6 +164,7 @@ PHP                                                                        NEWS
     ignored. (ndossche)
   . Fixed a bypass of the magic ".phar" directory protection in
     Phar::addEmptyDir() for paths starting with "/.phar". (Weilin Du)
+  . Fixed an integer underflow when parsing ZIP extra fields. (Weilin Du)
   . Phar::addEmptyDir() now allows non-magic directory names that merely
     share the ".phar" prefix. (Weilin Du)
   . Support overridden methods in SplFileInfo for getMTime() and getPathname()
diff --git a/ext/phar/tests/zip/zip_extra_underflow.phpt b/ext/phar/tests/zip/zip_extra_underflow.phpt
@@ -0,0 +1,91 @@
+--TEST--
+Phar: ZIP extra field length must not underflow
+--EXTENSIONS--
+phar
+--FILE--
+<?php
+function uint16($value) {
+    return pack('v', $value);
+}
+
+function uint32($value) {
+    return pack('V', $value);
+}
+
+$filename = __DIR__ . '/zip_extra_underflow.zip';
+$entry = 'test.txt';
+$contents = 'hello';
+$crc = crc32($contents);
+
+$local = uint32(0x04034b50)
+    . uint16(20)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint32($crc)
+    . uint32(strlen($contents))
+    . uint32(strlen($contents))
+    . uint16(strlen($entry))
+    . uint16(0)
+    . $entry
+    . $contents;
+
+$extra = 'XX' . uint16(1);
+
+/* Old code seeks one byte past the extra field and parses this as another extra header. */
+$commentPrefix = 'A'
+    . 'UT'
+    . uint16(5)
+    . "\x01"
+    . uint32(946684800)
+    . 'ZZ'
+    . uint16(65522);
+$comment = $commentPrefix . str_repeat('B', 65535 - strlen($commentPrefix));
+
+$central = uint32(0x02014b50)
+    . uint16(20)
+    . uint16(20)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint32($crc)
+    . uint32(strlen($contents))
+    . uint32(strlen($contents))
+    . uint16(strlen($entry))
+    . uint16(strlen($extra))
+    . uint16(strlen($comment))
+    . uint16(0)
+    . uint16(0)
+    . uint32(0)
+    . uint32(0)
+    . $entry
+    . $extra
+    . $comment;
+
+$eocd = uint32(0x06054b50)
+    . uint16(0)
+    . uint16(0)
+    . uint16(1)
+    . uint16(1)
+    . uint32(strlen($central))
+    . uint32(strlen($local))
+    . uint16(0);
+
+file_put_contents($filename, $local . $central . $eocd);
+
+try {
+    $phar = new PharData($filename);
+    echo "Loaded corrupt ZIP\n";
+    echo $phar[$entry]->getMTime(), "\n";
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/zip_extra_underflow.zip');
+?>
+--EXPECTF--
+phar error: Unable to process extra field header for file in central directory in zip-based phar "%szip_extra_underflow.zip"
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
@@ -39,19 +39,30 @@ static inline void phar_write_16(char buffer[2], uint32_t value)
 # define PHAR_SET_32(var, value) phar_write_32(var, (uint32_t) (value));
 # define PHAR_SET_16(var, value) phar_write_16(var, (uint16_t) (value));
 
-static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry, uint16_t len) /* {{{ */
+static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry, uint16_t extra_len) /* {{{ */
 {
 	union {
 		phar_zip_extra_field_header header;
 		phar_zip_unix3 unix3;
 		phar_zip_unix_time time;
 	} h;
+	size_t len = extra_len;
 	size_t read;
 
-	do {
+	while (len) {
+		size_t header_size;
+
+		if (len < sizeof(h.header)) {
+			return FAILURE;
+		}
 		if (sizeof(h.header) != php_stream_read(fp, (char *) &h.header, sizeof(h.header))) {
 			return FAILURE;
 		}
+		len -= sizeof(h.header);
+		header_size = PHAR_GET_16(h.header.size);
+		if (header_size > len) {
+			return FAILURE;
+		}
 
 		if (h.header.tag[0] == 'U' && h.header.tag[1] == 'T') {
 			/* Unix timestamp header found.
@@ -60,7 +71,6 @@ static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry
 			 * We only store the modification time in the entry, so only read that.
 			 */
 			const size_t min_size = 5;
-			uint16_t header_size = PHAR_GET_16(h.header.size);
 			if (header_size >= min_size) {
 				read = php_stream_read(fp, &h.time.flags, min_size);
 				if (read != min_size) {
@@ -71,36 +81,48 @@ static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry
 					entry->timestamp = PHAR_GET_32(h.time.time);
 				}
 
-				len -= header_size + 4;
-
 				/* Consume remaining bytes */
-				if (header_size != read) {
-					php_stream_seek(fp, header_size - read, SEEK_CUR);
+				if (header_size != read && -1 == php_stream_seek(fp, header_size - read, SEEK_CUR)) {
+					return FAILURE;
 				}
+				len -= header_size;
 				continue;
 			}
 			/* Fallthrough to next if to skip header */
 		}
 
 		if (h.header.tag[0] != 'n' || h.header.tag[1] != 'u') {
 			/* skip to next header */
-			php_stream_seek(fp, PHAR_GET_16(h.header.size), SEEK_CUR);
-			len -= PHAR_GET_16(h.header.size) + 4;
+			if (header_size && -1 == php_stream_seek(fp, header_size, SEEK_CUR)) {
+				return FAILURE;
+			}
+			len -= header_size;
 			continue;
 		}
 
 		/* unix3 header found */
-		read = php_stream_read(fp, (char *) &(h.unix3.crc32), sizeof(h.unix3) - sizeof(h.header));
-		len -= read + 4;
+		size_t unix3_size = sizeof(h.unix3) - sizeof(h.header);
+		size_t field_size = header_size;
+		if (field_size == unix3_size - sizeof(h.unix3.crc32)) {
+			/* Some archives omit the CRC32 from the unix3 size field. */
+			field_size = unix3_size;
+		}
+		if (field_size < unix3_size || field_size > len) {
+			return FAILURE;
+		}
 
-		if (sizeof(h.unix3) - sizeof(h.header) != read) {
+		read = php_stream_read(fp, (char *) &(h.unix3.crc32), unix3_size);
+		if (unix3_size != read) {
 			return FAILURE;
 		}
 
-		if (PHAR_GET_16(h.unix3.size) > sizeof(h.unix3) - 4) {
+		if (field_size > unix3_size) {
 			/* skip symlink filename - we may add this support in later */
-			php_stream_seek(fp, PHAR_GET_16(h.unix3.size) - sizeof(h.unix3.size), SEEK_CUR);
+			if (-1 == php_stream_seek(fp, field_size - unix3_size, SEEK_CUR)) {
+				return FAILURE;
+			}
 		}
+		len -= field_size;
 
 		/* set permissions */
 		entry->flags &= PHAR_ENT_COMPRESSION_MASK;
@@ -111,7 +133,7 @@ static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry
 			entry->flags |= PHAR_GET_16(h.unix3.perms) & PHAR_ENT_PERM_MASK;
 		}
 
-	} while (len);
+	}
 
 	return SUCCESS;
 }
