VladPolskiy/php-src
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.3' into PHP-8.4

Browse Source 
* PHP-8.3:
  Fix GH-17037: UAF in user filter when adding existing filter name due to incorrect error handling
This commit is contained in:
Niels Dossche
2024-12-04 20:05:32 +01:00
parent fbba6df626 00f4881e90
commit d6d78545ea
3 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -2,6 +2,9 @@ PHP NEWS
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.4.3 ?? ??? ????, PHP 8.4.3
- Streams:
. Fixed bug GH-17037 (UAF in user filter when adding existing filter name due
to incorrect error handling). (nielsdos)
05 Dec 2024, PHP 8.4.2 05 Dec 2024, PHP 8.4.2

8
ext/standard/tests/filters/gh17037.phpt Normal file
View File

@ -0,0 +1,8 @@
--TEST--
GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling)
--FILE--
<?php
var_dump(stream_filter_register('string.toupper', 'filter_string_toupper'));
?>
--EXPECT--
bool(false)

12
ext/standard/user_filters.c
View File

@ -521,13 +521,17 @@ PHP_FUNCTION(stream_filter_register)
fdat = ecalloc(1, sizeof(struct php_user_filter_data)); fdat = ecalloc(1, sizeof(struct php_user_filter_data));
fdat->classname = zend_string_copy(classname); fdat->classname = zend_string_copy(classname);
if (zend_hash_add_ptr(BG(user_filter_map), filtername, fdat) != NULL && if (zend_hash_add_ptr(BG(user_filter_map), filtername, fdat) != NULL) {
php_stream_filter_register_factory_volatile(filtername, &user_filter_factory) == SUCCESS) { if (php_stream_filter_register_factory_volatile(filtername, &user_filter_factory) == SUCCESS) {
RETVAL_TRUE; RETURN_TRUE;
}
zend_hash_del(BG(user_filter_map), filtername);
} else { } else {
zend_string_release_ex(classname, 0); zend_string_release_ex(classname, 0);
efree(fdat); efree(fdat);
RETVAL_FALSE;
} }
RETURN_FALSE;
} }
/* }}} */ /* }}} */