diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/session/mod_files.c | 2 | ||||
| -rw-r--r-- | ext/session/tests/bug73100.phpt | 22 |
3 files changed, 26 insertions, 1 deletions
@@ -8,6 +8,9 @@ PHP NEWS . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab, cmb) +- Session: + . Fixed bug #73100 (session_destroy null dereference in ps_files_path_create). + (cmb) 15 Sep 2016, PHP 7.1.0RC2 diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c index df8374ced0..b95a37aa1c 100644 --- a/ext/session/mod_files.c +++ b/ext/session/mod_files.c @@ -114,7 +114,7 @@ static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, cons size_t n; key_len = strlen(key); - if (key_len <= data->dirdepth || + if (!data || key_len <= data->dirdepth || buflen < (strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) { return NULL; } diff --git a/ext/session/tests/bug73100.phpt b/ext/session/tests/bug73100.phpt new file mode 100644 index 0000000000..0503541375 --- /dev/null +++ b/ext/session/tests/bug73100.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #73100 (session_destroy null dereference in ps_files_path_create) +--SKIPIF-- +<?php +if (!extension_loaded('session')) die('skip session extension not available'); +?> +--FILE-- +<?php +ob_start(); +var_dump(session_start()); +session_module_name("user"); +var_dump(session_destroy()); +?> +===DONE=== +--EXPECTF-- +bool(true) + +Warning: session_module_name(): A session is active. You cannot change the session module's ini settings at this time in %s on line %d + +Warning: session_destroy(): Session object destruction failed in %s on line %d +bool(false) +===DONE=== |