diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/tests/streams/user-stream-error.phpt | 16 | ||||
| -rw-r--r-- | main/streams/userspace.c | 17 |
3 files changed, 28 insertions, 6 deletions
@@ -13,6 +13,7 @@ PHP NEWS - Standard: . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb) + . Fixed bug #73188 (use after free in userspace streams). (Sara) 13 Oct 2016, PHP 5.6.27 diff --git a/ext/standard/tests/streams/user-stream-error.phpt b/ext/standard/tests/streams/user-stream-error.phpt new file mode 100644 index 0000000000..e7351b4916 --- /dev/null +++ b/ext/standard/tests/streams/user-stream-error.phpt @@ -0,0 +1,16 @@ +--TEST-- +E_ERROR during UserStream Open +--FILE-- +<?php + +class FailStream { + public function stream_open($path, $mode, $options, &$opened_path) { + _some_undefined_function(); + } +} +stream_wrapper_register('mystream', 'FailStream'); +fopen('mystream://foo', 'r'); +echo 'Done'; + +--EXPECTF-- +Fatal error: Call to undefined function _some_undefined_function() in %s/user-stream-error.php on line %d diff --git a/main/streams/userspace.c b/main/streams/userspace.c index e65f605b12..37c0a176ed 100644 --- a/main/streams/userspace.c +++ b/main/streams/userspace.c @@ -394,12 +394,17 @@ static php_stream *user_wrapper_opener(php_stream_wrapper *wrapper, const char * MAKE_STD_ZVAL(zfuncname); ZVAL_STRING(zfuncname, USERSTREAM_OPEN, 1); - call_result = call_user_function_ex(NULL, - &us->object, - zfuncname, - &zretval, - 4, args, - 0, NULL TSRMLS_CC); + zend_try { + call_result = call_user_function_ex(NULL, + &us->object, + zfuncname, + &zretval, + 4, args, + 0, NULL TSRMLS_CC); + } zend_catch { + FG(user_stream_current_filename) = NULL; + zend_bailout(); + } zend_end_try(); if (call_result == SUCCESS && zretval != NULL && zval_is_true(zretval)) { /* the stream is now open! */ |