From f3d24af74fdc59981650edcd7dfec7b8747e7158 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 2 Sep 2021 16:15:29 +0200
Subject: [PATCH] Fix #81407: shmop_open won't attach and causes php to crash

We need to allocate buffers for the file mapping names which are large
enough for all potential keys (`key_t` is defined as `int` on Windows).

Regarding the test: it's probably never a good idea to use hard-coded
keys (should always use `ftok()` instead), but to reliably reproduce
this Windows specific issue we need to, and it shouldn't be an issue on
that OS.

Closes GH-7448.
---
 NEWS                          |  3 +++
 TSRM/tsrm_win32.c             | 10 +++++++---
 ext/shmop/tests/bug81407.phpt | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 ext/shmop/tests/bug81407.phpt

diff --git a/NEWS b/NEWS
index a02cf6e2dba..eae44ec2335 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,9 @@ PHP                                                                        NEWS
   . Fixed bug #81353 (segfault with preloading and statically bound closure).
     (Nikita)
 
+- Shmop:
+  . Fixed bug #81407 (shmop_open won't attach and causes php to crash). (cmb)
+
 - Standard:
   . Fixed bug #71542 (disk_total_space does not work with relative paths). (cmb)
   . Fixed bug #81400 (Unterminated string in dns_get_record() results). (cmb)
diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
index 75240282f61..ecf02f2dcd4 100644
--- a/TSRM/tsrm_win32.c
+++ b/TSRM/tsrm_win32.c
@@ -611,16 +611,20 @@ TSRM_API int pclose(FILE *stream)
 	return termstat;
 }/*}}}*/
 
+#define SEGMENT_PREFIX "TSRM_SHM_SEGMENT:"
+#define DESCRIPTOR_PREFIX "TSRM_SHM_DESCRIPTOR:"
+#define INT_MIN_AS_STRING "-2147483648"
+
 TSRM_API int shmget(key_t key, size_t size, int flags)
 {/*{{{*/
 	shm_pair *shm;
-	char shm_segment[26], shm_info[29];
+	char shm_segment[sizeof(SEGMENT_PREFIX INT_MIN_AS_STRING)], shm_info[sizeof(DESCRIPTOR_PREFIX INT_MIN_AS_STRING)];
 	HANDLE shm_handle = NULL, info_handle = NULL;
 	BOOL created = FALSE;
 
 	if (key != IPC_PRIVATE) {
-		snprintf(shm_segment, sizeof(shm_segment), "TSRM_SHM_SEGMENT:%d", key);
-		snprintf(shm_info, sizeof(shm_info), "TSRM_SHM_DESCRIPTOR:%d", key);
+		snprintf(shm_segment, sizeof(shm_segment), SEGMENT_PREFIX "%d", key);
+		snprintf(shm_info, sizeof(shm_info), DESCRIPTOR_PREFIX "%d", key);
 
 		shm_handle  = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, shm_segment);
 		info_handle = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, shm_info);
diff --git a/ext/shmop/tests/bug81407.phpt b/ext/shmop/tests/bug81407.phpt
new file mode 100644
index 00000000000..468e19c09e4
--- /dev/null
+++ b/ext/shmop/tests/bug81407.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #81407 (shmop_open won't attach and causes php to crash)
+--SKIPIF--
+<?php
+if (PHP_OS_FAMILY !== "Windows") die("skip for Windows only");
+if (!extension_loaded("shmop")) die("skip shmop extension not available");
+?>
+--FILE--
+<?php
+$a = shmop_open(367504384, 'n', 0664, 262144);
+$b = shmop_open(367504385, 'n', 0664, 65536);
+if ($b == false) {
+	$b = shmop_open(367504385, 'w', 0664, 65536);
+}
+var_dump($a !== false, $b !== false);
+?>
+--EXPECT--
+bool(true)
+bool(true)