Skip to content

Commit 67ce875

Browse files
nielsdosiluuu1994
nielsdos
and
iluuu1994
committed
Fix phpGH-15179: Segmentation fault (null pointer dereference) in ext/standard/url_scanner_ex.re
Based on analysis by Ilija: php#15179 (comment) * Apply suggestions from code review Closes phpGH-15206. Co-authored-by: Ilija Tovilo <[email protected]>
1 parent dc670cb commit 67ce875

File tree

3 files changed

+28
-1
lines changed

3 files changed

+28
-1
lines changed

NEWS

+4
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,10 @@ PHP NEWS
3232
. Fixed bug GH-13775 (Memory leak possibly related to opcache SHM placement).
3333
(Arnaud, nielsdos)
3434

35+
- Output:
36+
. Fixed bug GH-15179 (Segmentation fault (null pointer dereference) in
37+
ext/standard/url_scanner_ex.re). (nielsdos)
38+
3539
- PDO_Firebird:
3640
. Fix bogus fallthrough path in firebird_handle_get_attribute(). (nielsdos)
3741

ext/standard/url_scanner_ex.re

+6-1
Original file line numberDiff line numberDiff line change
@@ -736,6 +736,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
736736
zend_string *encoded;
737737
url_adapt_state_ex_t *url_state;
738738
php_output_handler_func_t handler;
739+
bool should_start = false;
739740

740741
if (type) {
741742
url_state = &BG(url_adapt_session_ex);
@@ -747,7 +748,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
747748

748749
if (!url_state->active) {
749750
php_url_scanner_ex_activate(type);
750-
php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
751+
should_start = true;
751752
url_state->active = 1;
752753
}
753754

@@ -786,6 +787,10 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
786787
smart_str_free(&hname);
787788
smart_str_free(&hvalue);
788789

790+
if (should_start) {
791+
php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
792+
}
793+
789794
return SUCCESS;
790795
}
791796

tests/output/gh15179.phpt

+18
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
--TEST--
2+
GH-15179 (Segmentation fault (null pointer dereference) in ext/standard/url_scanner_ex.re)
3+
--CREDITS--
4+
YuanchengJiang
5+
--INI--
6+
memory_limit=64M
7+
--SKIPIF--
8+
<?php
9+
if (getenv("USE_ZEND_ALLOC") === "0") die("skip requires ZendMM");
10+
?>
11+
--FILE--
12+
<?php
13+
$var = str_repeat('a', 20 * 1024 * 1024);
14+
15+
output_add_rewrite_var($var, $var);
16+
?>
17+
--EXPECTF--
18+
Fatal error: Allowed memory size of %d bytes exhausted %s

0 commit comments

Comments
 (0)