diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2020-10-01 17:05:23 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-10-01 17:05:23 +0200 |
| commit | d96219c185e68c82beb994db2c93bd26f47ce16a (patch) | |
| tree | a8576ab9c9bf68c94536008df3b0256e56c0467e | |
| parent | f82414e935c18c1ff45ef1f006e24220631f5717 (diff) | |
| download | php-git-d96219c185e68c82beb994db2c93bd26f47ce16a.tar.gz | |
Fixed bug #80121
The issue affected both CurlHandle and CurlMultiHandle. I'll have
to double check this for other resource->object conversions as well.
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/curl/interface.c | 14 | ||||
| -rw-r--r-- | ext/curl/multi.c | 6 | ||||
| -rw-r--r-- | ext/curl/tests/bug80121.phpt | 26 |
4 files changed, 45 insertions, 5 deletions
@@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.0.0rc2 +- Curl: + . Fixed bug #80121 (Null pointer deref if CurlHandle directly instantiated). + (Nikita) + - SPL. . Fixed bug #65387 (Circular references in SPL iterators are not garbage collected). (Nikita) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 150f98d46f..8ff3e0f374 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -3308,6 +3308,12 @@ static void curl_free_obj(zend_object *object) fprintf(stderr, "DTOR CALLED, ch = %x\n", ch); #endif + if (!ch->cp) { + /* Can happen if constructor throws. */ + zend_object_std_dtor(&ch->std); + return; + } + _php_curl_verify_handlers(ch, 0); /* @@ -3321,12 +3327,10 @@ static void curl_free_obj(zend_object *object) * * Libcurl commit d021f2e8a00 fix this issue and should be part of 7.28.2 */ - if (ch->cp != NULL) { - curl_easy_setopt(ch->cp, CURLOPT_HEADERFUNCTION, curl_write_nothing); - curl_easy_setopt(ch->cp, CURLOPT_WRITEFUNCTION, curl_write_nothing); + curl_easy_setopt(ch->cp, CURLOPT_HEADERFUNCTION, curl_write_nothing); + curl_easy_setopt(ch->cp, CURLOPT_WRITEFUNCTION, curl_write_nothing); - curl_easy_cleanup(ch->cp); - } + curl_easy_cleanup(ch->cp); /* cURL destructors should be invoked only by last curl handle */ if (--(*ch->clone) == 0) { diff --git a/ext/curl/multi.c b/ext/curl/multi.c index 2c2e37e402..e717fd5d9e 100644 --- a/ext/curl/multi.c +++ b/ext/curl/multi.c @@ -537,6 +537,12 @@ void curl_multi_free_obj(zend_object *object) php_curl *ch; zval *pz_ch; + if (!mh->multi) { + /* Can happen if constructor throws. */ + zend_object_std_dtor(&mh->std); + return; + } + for (pz_ch = (zval *)zend_llist_get_first_ex(&mh->easyh, &pos); pz_ch; pz_ch = (zval *)zend_llist_get_next_ex(&mh->easyh, &pos)) { if (!(OBJ_FLAGS(Z_OBJ_P(pz_ch)) & IS_OBJ_FREE_CALLED)) { diff --git a/ext/curl/tests/bug80121.phpt b/ext/curl/tests/bug80121.phpt new file mode 100644 index 0000000000..9239cf007f --- /dev/null +++ b/ext/curl/tests/bug80121.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #80121: Null pointer deref if CurlHandle directly instantiated +--FILE-- +<?php + +try { + new CurlHandle; +} catch (Error $e) { + echo $e->getMessage(), "\n"; +} +try { + new CurlMultiHandle; +} catch (Error $e) { + echo $e->getMessage(), "\n"; +} +try { + new CurlShareHandle; +} catch (Error $e) { + echo $e->getMessage(), "\n"; +} + +?> +--EXPECT-- +Cannot directly construct CurlHandle, use curl_init() instead +Cannot directly construct CurlMultiHandle, use curl_multi_init() instead +Cannot directly construct CurlShareHandle, use curl_share_init() instead |