- MFB: #38261, openssl_x509_parse leaks with invalid certs

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 656d7e330b7565e423cc197b6cfc385a04a21746..993023ba9b1ac891ff09bb24a12f8b0dfb18551f 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -770,6 +770,11 @@ static X509 * php_openssl_x509_from_zval(zval ** val, int makeresource, long * r
 
                return NULL;
        }
+
+       if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) {
+               return NULL;
+       }
+
        /* force it to be a string and check if it refers to a file */
        convert_to_string_ex(val);
 

diff --git a/ext/openssl/tests/bug38261.phpt b/ext/openssl/tests/bug38261.phpt
new file mode 100644 (file)
index 0000000..e7d8060
--- /dev/null
+++ b/ext/openssl/tests/bug38261.phpt
@@ -0,0 +1,34 @@
+--TEST--
+openssl key from zval leaks 
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip"); 
+?>
+--FILE--
+<?php
+$cert = false;
+class test {
+       function __toString() {
+               return "test object";
+       }
+}
+$t = new test;
+
+var_dump(openssl_x509_parse("foo"));
+var_dump(openssl_x509_parse($t));
+var_dump(openssl_x509_parse(array()));
+var_dump(openssl_x509_parse());
+var_dump(openssl_x509_parse($cert));
+var_dump(openssl_x509_parse(new stdClass));
+
+?>
+--EXPECTF--
+bool(false)
+bool(false)
+bool(false)
+
+Warning: openssl_x509_parse() expects at least 1 parameter, 0 given in %s/bug38261.php on line %d
+NULL
+bool(false)
+
+Catchable fatal error: Object of class stdClass could not be converted to string in %s/bug38261.php on line %d