diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-09-16 23:42:48 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2016-09-16 23:43:18 +0200 |
| commit | 48cf8dd9c32926775798a11ee0c0fc81d8bf3c7a (patch) | |
| tree | ccafd31ecf9cd3704ba3ad72a4159ab1ca159283 | |
| parent | 0e76cafaf18dbbb6af609b2e765fe68fd30b8002 (diff) | |
| parent | 66826730702d3ed3d6d45320ad1276977e67bb9e (diff) | |
| download | php-git-48cf8dd9c32926775798a11ee0c0fc81d8bf3c7a.tar.gz | |
Merge branch 'PHP-5.6' into PHP-7.0
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/session/mod_files.c | 2 | ||||
| -rw-r--r-- | ext/session/tests/bug73100.phpt | 22 |
3 files changed, 25 insertions, 1 deletions
@@ -54,6 +54,8 @@ PHP NEWS - Session: . Fixed bug #68015 (Session does not report invalid uid for files save handler). (Yasuo) + . Fixed bug #73100 (session_destroy null dereference in ps_files_path_create). + (cmb) - SOAP: . Fixed bug #71711 (Soap Server Member variables reference bug). (Nikita) diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c index ed32f3564c..b33f07e69e 100644 --- a/ext/session/mod_files.c +++ b/ext/session/mod_files.c @@ -114,7 +114,7 @@ static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, cons size_t n; key_len = strlen(key); - if (key_len <= data->dirdepth || + if (!data || key_len <= data->dirdepth || buflen < (strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) { return NULL; } diff --git a/ext/session/tests/bug73100.phpt b/ext/session/tests/bug73100.phpt new file mode 100644 index 0000000000..0503541375 --- /dev/null +++ b/ext/session/tests/bug73100.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #73100 (session_destroy null dereference in ps_files_path_create) +--SKIPIF-- +<?php +if (!extension_loaded('session')) die('skip session extension not available'); +?> +--FILE-- +<?php +ob_start(); +var_dump(session_start()); +session_module_name("user"); +var_dump(session_destroy()); +?> +===DONE=== +--EXPECTF-- +bool(true) + +Warning: session_module_name(): A session is active. You cannot change the session module's ini settings at this time in %s on line %d + +Warning: session_destroy(): Session object destruction failed in %s on line %d +bool(false) +===DONE=== |