Fixed bug #24592 (Possible crash in session extnsion, with NULL values)

2 files changed, 39 insertions, 3 deletions

diff --git a/ext/session/session.c b/ext/session/session.c
index 066c4e90cf..f35fd9b454 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -734,9 +734,12 @@ static int migrate_global(HashTable *ht, HashPosition *pos TSRMLS_DC)
 
 	switch (n) {
 		case HASH_KEY_IS_STRING:
-			zend_hash_find(&EG(symbol_table), str, str_len, (void **) &val);
-			if (val) {
-				ZEND_SET_SYMBOL_WITH_LENGTH(ht, str, str_len, *val, (*val)->refcount + 1 , 1);
+			if (zend_hash_find(&EG(symbol_table), str, str_len, (void **) &val) == SUCCESS && val) {
+				if (!PZVAL_IS_REF(*val)) {
+					(*val)->is_ref = 1;
+					(*val)->refcount += 1;
+					zend_hash_update(ht, str, str_len, val, sizeof(zval *), NULL);
+				}
 				ret = 1;
 			}
 			break;
diff --git a/ext/session/tests/bug24592.phpt b/ext/session/tests/bug24592.phpt
new file mode 100644
index 0000000000..9f94c3bf11
--- /dev/null
+++ b/ext/session/tests/bug24592.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #24592 (crash when multiple NULL values are being stored)
+--INI--
+register_globals=0
+html_errors=0
+--FILE--
+<?php
+@session_start();
+        
+$foo = $_SESSION['foo'];
+$bar = $_SESSION['bar'];
+                        
+var_dump($foo, $bar, $_SESSION);
+
+$_SESSION['foo'] = $foo;
+$_SESSION['bar'] = $bar;
+                                        
+var_dump($_SESSION);
+?>
+--EXPECTF--
+Notice: Undefined index:  foo in %s on line %d
+
+Notice: Undefined index:  bar in %s on line %d
+NULL
+NULL
+array(0) {
+}
+array(2) {
+  ["foo"]=>
+  NULL
+  ["bar"]=>
+  NULL
+}