- 38261: openssl_x509_parse leaks with invalid certs

NEWS

@@ -19,6 +19,7 @@ PHP                                                                        NEWS
 - Fixed phpinfo() cutoff of variables at \0. (Ilia)
 - Fixed a bug in the filter extension that prevented magic_quotes_gpc from
   being applied when RAW filter is used. (Ilia)
+- Fixed bug #38261 (openssl_x509_parse() leaks with invalid cert) (Pierre)
 - Fixed bug #38255 (openssl possible leaks while passing keys) (Pierre)
 - Fixed bug #38253 (PDO produces segfault with default fetch mode). (Tony)
 - Fixed bug #38236 (Binary data gets corrupted on multipart/formdata POST).

ext/openssl/openssl.c

@@ -784,6 +784,11 @@ static X509 * php_openssl_x509_from_zval(zval ** val, int makeresource, long * r
 
 		return NULL;
 	}
+
+	if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) {
+		return NULL;
+	}
+
 	/* force it to be a string and check if it refers to a file */
 	convert_to_string_ex(val);
 

ext/openssl/tests/bug38261.phpt

@@ -0,0 +1,34 @@
+--TEST--
+openssl key from zval leaks 
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip"); 
+?>
+--FILE--
+<?php
+$cert = false;
+class test {
+	function __toString() {
+		return "test object";
+	}
+}
+$t = new test;
+
+var_dump(openssl_x509_parse("foo"));
+var_dump(openssl_x509_parse($t));
+var_dump(openssl_x509_parse(array()));
+var_dump(openssl_x509_parse());
+var_dump(openssl_x509_parse($cert));
+var_dump(openssl_x509_parse(new stdClass));
+
+?>
+--EXPECTF--
+bool(false)
+bool(false)
+bool(false)
+
+Warning: openssl_x509_parse() expects at least 1 parameter, 0 given in %s/bug38261.php on line %d
+NULL
+bool(false)
+
+Catchable fatal error: Object of class stdClass could not be converted to string in %s/bug38261.php on line %d