Fixed bug #72157 (use-after-free caused by dba_open)

3 files changed, 26 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index fcb4a8d41e..d45eb32438 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
 - Curl:
   . Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick)
 
+- DBA:
+  . Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence)
+
 - JSON:
   . Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
     (Laruence)
diff --git a/ext/dba/dba.c b/ext/dba/dba.c
index e4776e734e..fd4522b9d6 100644
--- a/ext/dba/dba.c
+++ b/ext/dba/dba.c
@@ -658,11 +658,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, int persistent)
 
 	/* we only take string arguments */
 	for (i = 0; i < ac; i++) {
-		if (Z_TYPE(args[i]) != IS_STRING) {
-			convert_to_string_ex(&args[i]);
-		} else if (Z_REFCOUNTED(args[i])) {
-			Z_ADDREF(args[i]);
-		}
+		ZVAL_STR(&args[i], zval_get_string(&args[i]));
 		keylen += Z_STRLEN(args[i]);
 	}
 
diff --git a/ext/dba/tests/bug72157.phpt b/ext/dba/tests/bug72157.phpt
new file mode 100644
index 0000000000..7b3217012a
--- /dev/null
+++ b/ext/dba/tests/bug72157.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #72157 (use-after-free caused by dba_open)
+--SKIPIF--
+<?php 
+	require_once(dirname(__FILE__) .'/skipif.inc');
+?>
+--FILE--
+<?php
+$var0 = fopen(__FILE__,"r");
+$var5 = dba_open(null,$var0);
+$var5 = dba_open(null,$var0);
+$var5 = dba_open(null,$var0);
+$var5 = dba_open($var0,$var0);
+?>
+--EXPECTF--
+Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d
+
+Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d
+
+Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d
+
+Warning: dba_open(Resource id #5,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d