diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/session/mod_files.c | 2 | ||||
| -rw-r--r-- | ext/session/tests/bug73100.phpt | 22 |
3 files changed, 25 insertions, 1 deletions
@@ -54,6 +54,8 @@ PHP NEWS - Session: . Fixed bug #68015 (Session does not report invalid uid for files save handler). (Yasuo) + . Fixed bug #73100 (session_destroy null dereference in ps_files_path_create). + (cmb) - SOAP: . Fixed bug #71711 (Soap Server Member variables reference bug). (Nikita) diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c index ed32f3564c..b33f07e69e 100644 --- a/ext/session/mod_files.c +++ b/ext/session/mod_files.c @@ -114,7 +114,7 @@ static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, cons size_t n; key_len = strlen(key); - if (key_len <= data->dirdepth || + if (!data || key_len <= data->dirdepth || buflen < (strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) { return NULL; } diff --git a/ext/session/tests/bug73100.phpt b/ext/session/tests/bug73100.phpt new file mode 100644 index 0000000000..0503541375 --- /dev/null +++ b/ext/session/tests/bug73100.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #73100 (session_destroy null dereference in ps_files_path_create) +--SKIPIF-- +<?php +if (!extension_loaded('session')) die('skip session extension not available'); +?> +--FILE-- +<?php +ob_start(); +var_dump(session_start()); +session_module_name("user"); +var_dump(session_destroy()); +?> +===DONE=== +--EXPECTF-- +bool(true) + +Warning: session_module_name(): A session is active. You cannot change the session module's ini settings at this time in %s on line %d + +Warning: session_destroy(): Session object destruction failed in %s on line %d +bool(false) +===DONE=== |