From d1c9ff5642a7bf744c8386175f3b798c046f6f32 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 2 Nov 2022 11:35:30 +0100
Subject: [PATCH] Fix potential NULL pointer dereference Windows shm*()
 functions

`shm_get()` (not to be confused with `shmget()`) returns `NULL` if
reallocation fails; we need to cater to that when calling the function.

Closes GH-9872.
---
 NEWS              | 1 +
 TSRM/tsrm_win32.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 5dba8c376c8..40a6e666104 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ PHP                                                                        NEWS
     evaluation with extra named params). (Arnaud)
   . Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during
     initialization). (Arnaud)
+  . Fixed potential NULL pointer dereference in Windows shm*() functions. (cmb)
 
 - Date:
   . Fixed bug GH-9763 (DateTimeZone ctr mishandles input and adds null byte if
diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
index bc5a6b2e23e..09549072092 100644
--- a/TSRM/tsrm_win32.c
+++ b/TSRM/tsrm_win32.c
@@ -702,7 +702,7 @@ TSRM_API void *shmat(int key, const void *shmaddr, int flags)
 {/*{{{*/
 	shm_pair *shm = shm_get(key, NULL);
 
-	if (!shm->segment) {
+	if (!shm || !shm->segment) {
 		return (void*)-1;
 	}
 
@@ -726,7 +726,7 @@ TSRM_API int shmdt(const void *shmaddr)
 	shm_pair *shm = shm_get(0, (void*)shmaddr);
 	int ret;
 
-	if (!shm->segment) {
+	if (!shm || !shm->segment) {
 		return -1;
 	}
 
@@ -746,7 +746,7 @@ TSRM_API int shmctl(int key, int cmd, struct shmid_ds *buf)
 {/*{{{*/
 	shm_pair *shm = shm_get(key, NULL);
 
-	if (!shm->segment) {
+	if (!shm || !shm->segment) {
 		return -1;
 	}