clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 09:57:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-15179: Segmentation fault (null pointer dereference) in ext/standard/url_scanner_ex.re

Browse Source 
Based on analysis by Ilija: https://github.com/php/php-src/issues/15179#issuecomment-2261546902

* Apply suggestions from code review

Closes GH-15206.

Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
This commit is contained in:
Niels Dossche 2024-08-03 00:56:17 +02:00
parent dc670cb7f6
commit 67ce8759e8
No known key found for this signature in database
GPG Key ID: B8A8AD166DF0E2E5
3 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -32,6 +32,10 @@ PHP NEWS
. Fixed bug GH-13775 (Memory leak possibly related to opcache SHM placement).
(Arnaud, nielsdos)
- Output:
. Fixed bug GH-15179 (Segmentation fault (null pointer dereference) in
ext/standard/url_scanner_ex.re). (nielsdos)
- PDO_Firebird:
. Fix bogus fallthrough path in firebird_handle_get_attribute(). (nielsdos)

7
ext/standard/url_scanner_ex.re
View File

@ -736,6 +736,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
zend_string *encoded;
url_adapt_state_ex_t *url_state;
php_output_handler_func_t handler;
bool should_start = false;
if (type) {
url_state = &BG(url_adapt_session_ex);
@ -747,7 +748,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
if (!url_state->active) {
php_url_scanner_ex_activate(type);
php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
should_start = true;
url_state->active = 1;
}
@ -786,6 +787,10 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
smart_str_free(&hname);
smart_str_free(&hvalue);
if (should_start) {
php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
}
return SUCCESS;
}

18
tests/output/gh15179.phpt Normal file
View File

@ -0,0 +1,18 @@
--TEST--
GH-15179 (Segmentation fault (null pointer dereference) in ext/standard/url_scanner_ex.re)
--CREDITS--
YuanchengJiang
--INI--
memory_limit=64M
--SKIPIF--
<?php
if (getenv("USE_ZEND_ALLOC") === "0") die("skip requires ZendMM");
?>
--FILE--
<?php
$var = str_repeat('a', 20 * 1024 * 1024);
output_add_rewrite_var($var, $var);
?>
--EXPECTF--
Fatal error: Allowed memory size of %d bytes exhausted %s