clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 09:57:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.3'

Browse Source 
* PHP-8.3:
  Fix GH-15179: Segmentation fault (null pointer dereference) in ext/standard/url_scanner_ex.re
This commit is contained in:
Niels Dossche 2024-08-03 02:05:44 +02:00
commit 3ad9f4d441
No known key found for this signature in database
GPG Key ID: B8A8AD166DF0E2E5
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ext/standard/url_scanner_ex.re
View File

@ -737,6 +737,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
zend_string *encoded;
url_adapt_state_ex_t *url_state;
php_output_handler_func_t handler;
bool should_start = false;
if (type) {
url_state = &BG(url_adapt_session_ex);
@ -748,7 +749,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
if (!url_state->active) {
php_url_scanner_ex_activate(type);
php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
should_start = true;
url_state->active = 1;
url_state->type = type;
}
@ -788,6 +789,10 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
smart_str_free(&hname);
smart_str_free(&hvalue);
if (should_start) {
php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
}
return SUCCESS;
}

18
tests/output/gh15179.phpt Normal file
View File

@ -0,0 +1,18 @@
--TEST--
GH-15179 (Segmentation fault (null pointer dereference) in ext/standard/url_scanner_ex.re)
--CREDITS--
YuanchengJiang
--INI--
memory_limit=64M
--SKIPIF--
<?php
if (getenv("USE_ZEND_ALLOC") === "0") die("skip requires ZendMM");
?>
--FILE--
<?php
$var = str_repeat('a', 20 * 1024 * 1024);
output_add_rewrite_var($var, $var);
?>
--EXPECTF--
Fatal error: Allowed memory size of %d bytes exhausted %s