From c910e78c392e2c56c6a7f0ebcc22023f4d40d620 Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Mon, 30 Sep 2024 17:36:23 +0100 Subject: [PATCH] ext/ldap: Fix GH-16132 (Freeing pointer not allocated by ZMM) Closes GH-16134 --- ext/ldap/ldap.c | 4 ++++ ext/ldap/tests/gh16132-1.phpt | 28 ++++++++++++++++++++++++++++ ext/ldap/tests/gh16132-2.phpt | 28 ++++++++++++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 ext/ldap/tests/gh16132-1.phpt create mode 100644 ext/ldap/tests/gh16132-2.phpt diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c index f0dd3ccb4c4..ede60a29846 100644 --- a/ext/ldap/ldap.c +++ b/ext/ldap/ldap.c @@ -2181,6 +2181,8 @@ static void php_ldap_do_modify(INTERNAL_FUNCTION_PARAMETERS, int oper, int ext) convert_to_string(value); if (EG(exception)) { RETVAL_FALSE; + num_berval[i] = 0; + num_attribs = i + 1; goto cleanup; } ldap_mods[i]->mod_bvalues[0] = (struct berval *) emalloc (sizeof(struct berval)); @@ -2197,6 +2199,8 @@ static void php_ldap_do_modify(INTERNAL_FUNCTION_PARAMETERS, int oper, int ext) } convert_to_string(ivalue); if (EG(exception)) { + num_berval[i] = j; + num_attribs = i + 1; RETVAL_FALSE; goto cleanup; } diff --git a/ext/ldap/tests/gh16132-1.phpt b/ext/ldap/tests/gh16132-1.phpt new file mode 100644 index 00000000000..1979796446d --- /dev/null +++ b/ext/ldap/tests/gh16132-1.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug GH-16132: Attempting to free pointer not allocated by ZMM +--EXTENSIONS-- +ldap +--FILE-- + new stdClass(), + 'attribute2' => [ + 'value1', + 'value2', + ], +]; +try { + var_dump(ldap_add($ldap, $valid_dn, $dict_key_value_not_string)); +} catch (Throwable $e) { + echo $e::class, ': ', $e->getMessage(), PHP_EOL; +} + +?> +--EXPECT-- +Error: Object of class stdClass could not be converted to string diff --git a/ext/ldap/tests/gh16132-2.phpt b/ext/ldap/tests/gh16132-2.phpt new file mode 100644 index 00000000000..eaf3bd67dfc --- /dev/null +++ b/ext/ldap/tests/gh16132-2.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug GH-16132: Attempting to free pointer not allocated by ZMM +--EXTENSIONS-- +ldap +--FILE-- + 'value', + 'attribute2' => [ + 'value1', + new stdClass(), + ], +]; +try { + var_dump(ldap_add($ldap, $valid_dn, $dict_key_multi_value_not_list_of_strings2)); +} catch (Throwable $e) { + echo $e::class, ': ', $e->getMessage(), PHP_EOL; +} + +?> +--EXPECT-- +Error: Object of class stdClass could not be converted to string