archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix GH-17225: NULL deref in spl_directory.c
This commit is contained in:
Niels Dossche 2024-12-21 12:47:48 +01:00
commit a02648087a
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
3 changed files with 64 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

1
NEWS
View file

@ -88,6 +88,7 @@ PHP NEWS
- SPL: - SPL:
. Fixed bug GH-17198 (SplFixedArray assertion failure with get_object_vars). . Fixed bug GH-17198 (SplFixedArray assertion failure with get_object_vars).
(nielsdos) (nielsdos)
. Fixed bug GH-17225 (NULL deref in spl_directory.c). (nielsdos)
- Streams: - Streams:
. Fixed bug GH-17037 (UAF in user filter when adding existing filter name due . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due

16
ext/spl/spl_directory.c
View file

@ -203,10 +203,16 @@ static zend_object *spl_filesystem_object_new(zend_class_entry *class_type)
} }
/* }}} */ /* }}} */
static inline bool spl_intern_is_glob(const spl_filesystem_object *intern)
{
/* NULL check on `dirp` is necessary as destructors may interfere. */
return intern->u.dir.dirp && php_stream_is(intern->u.dir.dirp, &php_glob_stream_ops);
}
PHPAPI zend_string *spl_filesystem_object_get_path(const spl_filesystem_object *intern) /* {{{ */ PHPAPI zend_string *spl_filesystem_object_get_path(const spl_filesystem_object *intern) /* {{{ */
{ {
#ifdef HAVE_GLOB #ifdef HAVE_GLOB
if (intern->type == SPL_FS_DIR && php_stream_is(intern->u.dir.dirp, &php_glob_stream_ops)) { if (intern->type == SPL_FS_DIR && spl_intern_is_glob(intern)) {
size_t len = 0; size_t len = 0;
char *tmp = php_glob_stream_get_path(intern->u.dir.dirp, &len); char *tmp = php_glob_stream_get_path(intern->u.dir.dirp, &len);
if (len == 0) { if (len == 0) {
@ -636,7 +642,7 @@ static inline HashTable *spl_filesystem_object_get_debug_info(zend_object *objec
} }
if (intern->type == SPL_FS_DIR) { if (intern->type == SPL_FS_DIR) {
#ifdef HAVE_GLOB #ifdef HAVE_GLOB
if (intern->u.dir.dirp && php_stream_is(intern->u.dir.dirp ,&php_glob_stream_ops)) { if (spl_intern_is_glob(intern)) {
ZVAL_STR_COPY(&tmp, intern->path); ZVAL_STR_COPY(&tmp, intern->path);
} else { } else {
ZVAL_FALSE(&tmp); ZVAL_FALSE(&tmp);
@ -1590,11 +1596,11 @@ PHP_METHOD(GlobIterator, count)
RETURN_THROWS(); RETURN_THROWS();
} }
if (intern->u.dir.dirp && php_stream_is(intern->u.dir.dirp ,&php_glob_stream_ops)) { if (spl_intern_is_glob(intern)) {
RETURN_LONG(php_glob_stream_get_count(intern->u.dir.dirp, NULL)); RETURN_LONG(php_glob_stream_get_count(intern->u.dir.dirp, NULL));
} else { } else {
/* should not happen */ /* This can happen by abusing destructors. */
// TODO ZEND_ASSERT ? /* TODO: relax this from E_ERROR to an exception */
php_error_docref(NULL, E_ERROR, "GlobIterator lost glob state"); php_error_docref(NULL, E_ERROR, "GlobIterator lost glob state");
} }
} }

52
ext/spl/tests/gh17225.phpt Normal file
View file

@ -0,0 +1,52 @@
--TEST--
GH-17225 (NULL deref in spl_directory.c)
--CREDITS--
YuanchengJiang
--EXTENSIONS--
phar
--INI--
phar.readonly=0
--FILE--
<?php
$fname = __DIR__ . '/gh17225.phar.zip';
$phar = new Phar($fname);
class HasDestructor {
public function __destruct() {
var_dump($GLOBALS['s']);
}
}
$s = new SplObjectStorage();
$s[$phar] = new HasDestructor();
register_shutdown_function(function() {
global $s;
});
var_dump($phar->isLink());
?>
--CLEAN--
<?php
@unlink(__DIR__ . '/gh17225.phar.zip');
?>
--EXPECTF--
bool(false)
object(SplObjectStorage)#%d (1) {
["storage":"SplObjectStorage":private]=>
array(1) {
[0]=>
array(2) {
["obj"]=>
object(Phar)#%d (4) {
["pathName":"SplFileInfo":private]=>
string(0) ""
["fileName":"SplFileInfo":private]=>
string(0) ""
["glob":"DirectoryIterator":private]=>
bool(false)
["subPathName":"RecursiveDirectoryIterator":private]=>
string(0) ""
}
["inf"]=>
object(HasDestructor)#%d (0) {
}
}
}
}