Merge branch 'PHP-8.1'

* PHP-8.1: Fix #81490: ZipArchive::extractTo() may leak memory
2024-09-23 02:47:26 +00:00 · 2021-09-30 15:45:53 +02:00 · 2021-09-30 15:45:53 +02:00 · 2a3760a2d1
commit 2a3760a2d1
parent 0dcbe4a539 80860baeb1
2 changed files with 24 additions and 1 deletions
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@ -149,11 +149,13 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, size_t
 	virtual_file_ex(&new_state, file, NULL, CWD_EXPAND);
 	path_cleaned =  php_zip_make_relative_path(new_state.cwd, new_state.cwd_length);
 	if(!path_cleaned) {
+		CWD_STATE_FREE(new_state.cwd);
 		return 0;
 	}
 	path_cleaned_len = strlen(path_cleaned);

 	if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
+		CWD_STATE_FREE(new_state.cwd);
 		return 0;
 	}

@ -188,8 +190,8 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, size_t
 			efree(file_dirname_fullpath);
 			if (!is_dir_only) {
 				zend_string_release_ex(file_basename, 0);
-				CWD_STATE_FREE(new_state.cwd);
 			}
+			CWD_STATE_FREE(new_state.cwd);
 			return 0;
 		}
 	}
--- a/ext/zip/tests/bug81490.phpt
+++ b/ext/zip/tests/bug81490.phpt
@ -0,0 +1,21 @@
+--TEST--
+Bug #81490 (ZipArchive::extractTo() may leak memory)
+--SKIPIF--
+<?php
+if (!extension_loaded("zip")) die("skip zip extension not available");
+?>
+--FILE--
+<?php
+$zip = new ZipArchive();
+$zip->open(__DIR__ . "/bug81490.zip", ZipArchive::CREATE|ZipArchive::OVERWRITE);
+$zip->addFromString("", "yada yada");
+mkdir(__DIR__ . "/bug81490");
+$zip->open(__DIR__ . "/bug81490.zip");
+$zip->extractTo(__DIR__ . "/bug81490", "");
+?>
+--EXPECT--
+--CLEAN--
+<?php
+@unlink(__DIR__ . "/bug81490.zip");
+@rmdir(__DIR__ . "/bug81490");
+?>