From 66e4d38fb0d4f6dc7438d3fad2ef0515a8e69718 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Sat, 18 Apr 2026 08:46:43 -0400 Subject: [PATCH] phar: fix NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent In the CGI/FastCGI branch of webPhar(), sapi_getenv("SCRIPT_NAME") can return NULL when the upstream server doesn't forward SCRIPT_NAME in the FastCGI params block. The return value was passed directly to strstr() without a NULL check, causing a segfault. Add a NULL guard that jumps to the finish: label, which is already used for the "SCRIPT_NAME doesn't match the phar basename" case. The fix matches the intent of the existing strstr check and requires no new cleanup. Fixes GH-21797 --- ext/phar/phar_object.c | 3 +++ ext/phar/tests/gh21797.phpt | 31 +++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 ext/phar/tests/gh21797.phpt diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index 18db3190bb03..cd888adc41e6 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -649,6 +649,9 @@ PHP_METHOD(Phar, webPhar) char *testit; testit = sapi_getenv("SCRIPT_NAME", sizeof("SCRIPT_NAME")-1); + if (!testit) { + goto finish; + } if (!(pt = strstr(testit, basename))) { efree(testit); goto finish; diff --git a/ext/phar/tests/gh21797.phpt b/ext/phar/tests/gh21797.phpt new file mode 100644 index 000000000000..8fc089b80a0c --- /dev/null +++ b/ext/phar/tests/gh21797.phpt @@ -0,0 +1,31 @@ +--TEST-- +GH-21797: Phar::webPhar() NULL dereference when SCRIPT_NAME absent from SAPI environment +--EXTENSIONS-- +phar +--INI-- +phar.readonly=0 +phar.require_hash=0 +--FILE-- +addFromString('index.php', ''); +$phar->setStub(''); +unset($phar); + +// webPhar() with no HTTP context returns silently (no request method set) +include $fname; +echo "no crash\n"; +?> +--CLEAN-- + +--EXPECT-- +no crash