diff options
| author | Sara Golemon <pollita@php.net> | 2016-10-11 21:14:25 -0700 |
|---|---|---|
| committer | Sara Golemon <pollita@php.net> | 2016-10-11 21:55:01 -0700 |
| commit | 43ccf23d700ae780451e257f5a66d4210f82f026 (patch) | |
| tree | 51dfeedc72897bd3a5b23afa99e04c2bbe444829 | |
| parent | 689a9b8def07875641b3132a82c701fb7acb676c (diff) | |
| download | php-git-43ccf23d700ae780451e257f5a66d4210f82f026.tar.gz | |
Clear FG(user_stream_current_filename) when bailing out
If a userwrapper opener E_ERRORs then FG(user_stream_current_filename)
would remain set until the next request and would not be pointing
at unallocated memory.
Catch the bailout, clear the variable, then continue bailing.
Closes https://bugs.php.net/bug.php?id=73188
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/tests/streams/user-stream-error.phpt | 16 | ||||
| -rw-r--r-- | main/streams/userspace.c | 17 |
3 files changed, 28 insertions, 6 deletions
@@ -13,6 +13,7 @@ PHP NEWS - Standard: . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb) + . Fixed bug #73188 (use after free in userspace streams). (Sara) 13 Oct 2016, PHP 5.6.27 diff --git a/ext/standard/tests/streams/user-stream-error.phpt b/ext/standard/tests/streams/user-stream-error.phpt new file mode 100644 index 0000000000..e7351b4916 --- /dev/null +++ b/ext/standard/tests/streams/user-stream-error.phpt @@ -0,0 +1,16 @@ +--TEST-- +E_ERROR during UserStream Open +--FILE-- +<?php + +class FailStream { + public function stream_open($path, $mode, $options, &$opened_path) { + _some_undefined_function(); + } +} +stream_wrapper_register('mystream', 'FailStream'); +fopen('mystream://foo', 'r'); +echo 'Done'; + +--EXPECTF-- +Fatal error: Call to undefined function _some_undefined_function() in %s/user-stream-error.php on line %d diff --git a/main/streams/userspace.c b/main/streams/userspace.c index e65f605b12..37c0a176ed 100644 --- a/main/streams/userspace.c +++ b/main/streams/userspace.c @@ -394,12 +394,17 @@ static php_stream *user_wrapper_opener(php_stream_wrapper *wrapper, const char * MAKE_STD_ZVAL(zfuncname); ZVAL_STRING(zfuncname, USERSTREAM_OPEN, 1); - call_result = call_user_function_ex(NULL, - &us->object, - zfuncname, - &zretval, - 4, args, - 0, NULL TSRMLS_CC); + zend_try { + call_result = call_user_function_ex(NULL, + &us->object, + zfuncname, + &zretval, + 4, args, + 0, NULL TSRMLS_CC); + } zend_catch { + FG(user_stream_current_filename) = NULL; + zend_bailout(); + } zend_end_try(); if (call_result == SUCCESS && zretval != NULL && zval_is_true(zretval)) { /* the stream is now open! */ |