archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-18 15:08:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

- Fixed bug #32647 (Using register_shutdown_function() with invalid callback can crash PHP)

Browse source
This commit is contained in:
foobar 2005-04-21 14:44:29 +00:00
parent 62a1f82e4a
commit 4c3fdcaa4e
1 changed files with 32 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

32
ext/standard/basic_functions.c
View file

@ -2251,17 +2251,21 @@ void user_tick_function_dtor(user_tick_function_entry *tick_function_entry)
static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC)
{
zval retval;
char *function_name = NULL;
if (call_user_function( EG(function_table), NULL,
if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
} else if (call_user_function(EG(function_table), NULL,
shutdown_function_entry->arguments[0],
&retval,
shutdown_function_entry->arg_count - 1,
shutdown_function_entry->arguments + 1
TSRMLS_CC ) == SUCCESS ) {
TSRMLS_CC ) == SUCCESS)
{
zval_dtor(&retval);
} else {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0]));
}
if (function_name) {
efree(function_name);
}
return 0;
}
@ -2354,6 +2358,7 @@ void php_free_shutdown_functions(TSRMLS_D)
PHP_FUNCTION(register_shutdown_function)
{
php_shutdown_function_entry shutdown_function_entry;
char *function_name = NULL;
int i;
shutdown_function_entry.arg_count = ZEND_NUM_ARGS();
@ -2362,17 +2367,18 @@ PHP_FUNCTION(register_shutdown_function)
WRONG_PARAM_COUNT;
}
shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0);
shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0);
if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
RETURN_FALSE;
}
/* Prevent entering of anything but arrays/strings */
if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) {
convert_to_string(shutdown_function_entry.arguments[0]);
}
/* Prevent entering of anything but valid callback (syntax check only!) */
if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name);
efree(shutdown_function_entry.arguments);
RETVAL_FALSE;
} else {
if (!BG(user_shutdown_function_names)) {
ALLOC_HASHTABLE(BG(user_shutdown_function_names));
zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
@ -2383,6 +2389,10 @@ PHP_FUNCTION(register_shutdown_function)
}
zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
}
if (function_name) {
efree(function_name);
}
}
/* }}} */