Fixed bug #80121

The issue affected both CurlHandle and CurlMultiHandle. I'll have to double check this for other resource->object conversions as well.
2025-08-15 21:48:51 +02:00 · 2020-10-01 17:05:23 +02:00 · 2020-10-01 17:05:23 +02:00 · d96219c185
commit d96219c185
parent f82414e935
4 changed files with 45 additions and 5 deletions
--- a/4
+++ b/4
@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.0.0rc2

+- Curl:
+  . Fixed bug #80121 (Null pointer deref if CurlHandle directly instantiated).
+    (Nikita)
+
 - SPL.
  . Fixed bug #65387 (Circular references in SPL iterators are not garbage
    collected). (Nikita)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@ -3308,6 +3308,12 @@ static void curl_free_obj(zend_object *object)
 	fprintf(stderr, "DTOR CALLED, ch = %x\n", ch);
 #endif

+	if (!ch->cp) {
+		/* Can happen if constructor throws. */
+		zend_object_std_dtor(&ch->std);
+		return;
+	}
+
 	_php_curl_verify_handlers(ch, 0);

 	/*
@ -3321,12 +3327,10 @@ static void curl_free_obj(zend_object *object)
 	 *
 	 * Libcurl commit d021f2e8a00 fix this issue and should be part of 7.28.2
 	 */
-	if (ch->cp != NULL) {
-		curl_easy_setopt(ch->cp, CURLOPT_HEADERFUNCTION, curl_write_nothing);
-		curl_easy_setopt(ch->cp, CURLOPT_WRITEFUNCTION, curl_write_nothing);
+	curl_easy_setopt(ch->cp, CURLOPT_HEADERFUNCTION, curl_write_nothing);
+	curl_easy_setopt(ch->cp, CURLOPT_WRITEFUNCTION, curl_write_nothing);

-		curl_easy_cleanup(ch->cp);
-	}
+	curl_easy_cleanup(ch->cp);

 	/* cURL destructors should be invoked only by last curl handle */
 	if (--(*ch->clone) == 0) {
--- a/ext/curl/multi.c
+++ b/ext/curl/multi.c
@ -537,6 +537,12 @@ void curl_multi_free_obj(zend_object *object)
 	php_curl *ch;
 	zval	*pz_ch;

+	if (!mh->multi) {
+		/* Can happen if constructor throws. */
+		zend_object_std_dtor(&mh->std);
+		return;
+	}
+
 	for (pz_ch = (zval *)zend_llist_get_first_ex(&mh->easyh, &pos); pz_ch;
 		pz_ch = (zval *)zend_llist_get_next_ex(&mh->easyh, &pos)) {
 		if (!(OBJ_FLAGS(Z_OBJ_P(pz_ch)) & IS_OBJ_FREE_CALLED)) {
--- a/ext/curl/tests/bug80121.phpt
+++ b/ext/curl/tests/bug80121.phpt
@ -0,0 +1,26 @@
+--TEST--
+Bug #80121: Null pointer deref if CurlHandle directly instantiated
+--FILE--
+<?php
+
+try {
+    new CurlHandle;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    new CurlMultiHandle;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    new CurlShareHandle;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Cannot directly construct CurlHandle, use curl_init() instead
+Cannot directly construct CurlMultiHandle, use curl_multi_init() instead
+Cannot directly construct CurlShareHandle, use curl_share_init() instead