Fix uouv when handling empty options in ZipArchive::addGlob()

nielsdos · nielsdos · commit 0a6326c6ac93 · 2025-04-16T10:44:59.000+02:00
Reported by OpenAI AARDVARK. php_zip_parse_option is only called when options are passed to the function. Prior to this patch, php_zip_parse_option was responsible for zeroing the opts variable. So in the case when php_zip_parse_option is not called, opts remains uninitialized yet it is being used anyway. By just always zeroing opts at declaration time, we avoid this issue and we are unlikely to reintroduce this in the future. Closes GH-18329.
diff --git a/NEWS b/NEWS
@@ -43,6 +43,9 @@ PHP                                                                        NEWS
     leads to negative stream position). (David Carlier)
   . Fix resource leak in iptcembed() on error. (nielsdos)
 
+- Zip:
+  . Fix uouv when handling empty options in ZipArchive::addGlob(). (nielsdos)
+
 10 Apr 2025, PHP 8.3.20
 
 - Core:
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
@@ -354,13 +354,13 @@ typedef struct {
 #endif
 } zip_options;
 
+/* Expects opts to be zero-initialized. */
 static int php_zip_parse_options(HashTable *options, zip_options *opts)
 /* {{{ */
 {
 	zval *option;
 
 	/* default values */
-	memset(opts, 0, sizeof(zip_options));
 	opts->flags = ZIP_FL_OVERWRITE;
 	opts->comp_method = -1; /* -1 to not change default */
 #ifdef HAVE_ENCRYPTION
@@ -1732,7 +1732,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 	size_t  path_len = 1;
 	zend_long glob_flags = 0;
 	HashTable *options = NULL;
-	zip_options opts;
+	zip_options opts = {0};
 	int found;
 	zend_string *pattern;
 
diff --git a/ext/zip/tests/addGlob_empty_options.phpt b/ext/zip/tests/addGlob_empty_options.phpt
@@ -0,0 +1,22 @@
+--TEST--
+addGlob with empty options
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+
+touch($file = __DIR__ . '/addglob_empty_options.zip');
+
+$zip = new ZipArchive();
+$zip->open($file, ZipArchive::CREATE | ZipArchive::OVERWRITE);
+$zip->addGlob(__FILE__, 0, []);
+var_dump($zip->statIndex(0)['name'] === __FILE__);
+$zip->close();
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/addglob_empty_options.zip');
+?>
+--EXPECT--
+bool(true)
