From e13b27a9d1078b628f53e3747a3f310d2712fbfe Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 1 Dec 2020 14:20:39 +0100
Subject: [PATCH] Fix #73809: Phar Zip parse crash - mmap fail

Phar signatures practically are of limited size; for the MD5 and SHA
hashes the size is fixed (at most 64 bytes for SHA512); for OpenSSL
public keys there is no size limit in theory, but "64 KiB ought to be
good enough for anybody".  So we check for that limit, to avoid fatal
errors due to out of memory conditions.

Since it is neither possible to have the signature compressed in the
ZIP archive, nor is it possible to manually add a signature via Phar,
we use ZipArchive to create a suitable archive for the test on the fly.
---
 ext/phar/tests/bug73809.phpt | 30 ++++++++++++++++++++++++++++++
 ext/phar/zip.c               |  7 ++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 ext/phar/tests/bug73809.phpt

diff --git a/ext/phar/tests/bug73809.phpt b/ext/phar/tests/bug73809.phpt
new file mode 100644
index 0000000000000..5356db8aaa071
--- /dev/null
+++ b/ext/phar/tests/bug73809.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #73809 (Phar Zip parse crash - mmap fail)
+--SKIPIF--
+<?php
+if (!extension_loaded('phar')) die('skip phar extension not available');
+if (!extension_loaded('zip')) die('skip zip extension not available');
+?>
+--FILE--
+<?php
+// create the ZIP to be tested
+$zip = new ZipArchive;
+$zip->open(__DIR__ . '/73809.zip', ZipArchive::CREATE);
+$zip->addFromString('73809.txt', 'yada yada');
+$zip->addFromString('.phar/signature.bin', str_repeat('*', 64 * 1024 + 1));
+$zip->setCompressionName('.phar/signature.bin', ZipArchive::CM_STORE);
+var_dump($zip->close());
+
+try {
+    $phar = new PharData(__DIR__ . '/73809.zip');
+} catch (Exception $ex) {
+    echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/73809.zip');
+?>
+--EXPECTF--
+bool(true)
+phar error: signatures larger than 64 KiB are not supported in zip-based phar "%s"
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index b241c0589b4eb..0bf873aff16a9 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -405,8 +405,13 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia
 			char *sig;
 			size_t sig_len;
 
-			php_stream_tell(fp);
 			pefree(entry.filename, entry.is_persistent);
+
+			if (entry.uncompressed_filesize > 0x10000) {
+				PHAR_ZIP_FAIL("signatures larger than 64 KiB are not supported");
+			}
+
+			php_stream_tell(fp);
 			sigfile = php_stream_fopen_tmpfile();
 			if (!sigfile) {
 				PHAR_ZIP_FAIL("couldn't open temporary file");