mirror of
https://github.com/php/php-src.git
synced 2025-08-16 05:58:45 +02:00
Fixed bug #80121
The issue affected both CurlHandle and CurlMultiHandle. I'll have to double check this for other resource->object conversions as well.
This commit is contained in:
Nikita Popov
parent
f82414e935
commit
d96219c185
4 changed files with 45 additions and 5 deletions
4
NEWS
4
NEWS
|
|
@ -2,6 +2,10 @@ PHP NEWS
|
|||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
?? ??? ????, PHP 8.0.0rc2
|
||||
|
||||
- Curl:
|
||||
. Fixed bug #80121 (Null pointer deref if CurlHandle directly instantiated).
|
||||
(Nikita)
|
||||
|
||||
- SPL.
|
||||
. Fixed bug #65387 (Circular references in SPL iterators are not garbage
|
||||
collected). (Nikita)
|
||||
|
|
|
|||
|
|
@ -3308,6 +3308,12 @@ static void curl_free_obj(zend_object *object)
|
|||
fprintf(stderr, "DTOR CALLED, ch = %x\n", ch);
|
||||
#endif
|
||||
|
||||
if (!ch->cp) {
|
||||
/* Can happen if constructor throws. */
|
||||
zend_object_std_dtor(&ch->std);
|
||||
return;
|
||||
}
|
||||
|
||||
_php_curl_verify_handlers(ch, 0);
|
||||
|
||||
/*
|
||||
|
|
@ -3321,12 +3327,10 @@ static void curl_free_obj(zend_object *object)
|
|||
*
|
||||
* Libcurl commit d021f2e8a00 fix this issue and should be part of 7.28.2
|
||||
*/
|
||||
if (ch->cp != NULL) {
|
||||
curl_easy_setopt(ch->cp, CURLOPT_HEADERFUNCTION, curl_write_nothing);
|
||||
curl_easy_setopt(ch->cp, CURLOPT_WRITEFUNCTION, curl_write_nothing);
|
||||
|
||||
curl_easy_cleanup(ch->cp);
|
||||
}
|
||||
|
||||
/* cURL destructors should be invoked only by last curl handle */
|
||||
if (--(*ch->clone) == 0) {
|
||||
|
|
|
|||
|
|
@ -537,6 +537,12 @@ void curl_multi_free_obj(zend_object *object)
|
|||
php_curl *ch;
|
||||
zval *pz_ch;
|
||||
|
||||
if (!mh->multi) {
|
||||
/* Can happen if constructor throws. */
|
||||
zend_object_std_dtor(&mh->std);
|
||||
return;
|
||||
}
|
||||
|
||||
for (pz_ch = (zval *)zend_llist_get_first_ex(&mh->easyh, &pos); pz_ch;
|
||||
pz_ch = (zval *)zend_llist_get_next_ex(&mh->easyh, &pos)) {
|
||||
if (!(OBJ_FLAGS(Z_OBJ_P(pz_ch)) & IS_OBJ_FREE_CALLED)) {
|
||||
|
|
|
|||
26
ext/curl/tests/bug80121.phpt
Normal file
26
ext/curl/tests/bug80121.phpt
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
--TEST--
|
||||
Bug #80121: Null pointer deref if CurlHandle directly instantiated
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
try {
|
||||
new CurlHandle;
|
||||
} catch (Error $e) {
|
||||
echo $e->getMessage(), "\n";
|
||||
}
|
||||
try {
|
||||
new CurlMultiHandle;
|
||||
} catch (Error $e) {
|
||||
echo $e->getMessage(), "\n";
|
||||
}
|
||||
try {
|
||||
new CurlShareHandle;
|
||||
} catch (Error $e) {
|
||||
echo $e->getMessage(), "\n";
|
||||
}
|
||||
|
||||
?>
|
||||
--EXPECT--
|
||||
Cannot directly construct CurlHandle, use curl_init() instead
|
||||
Cannot directly construct CurlMultiHandle, use curl_multi_init() instead
|
||||
Cannot directly construct CurlShareHandle, use curl_share_init() instead
|
||||
Loading…
Add table
Add a link
Reference in a new issue