If a userwrapper opener E_ERRORs then FG(user_stream_current_filename)
would remain set until the next request and would not be pointing
at unallocated memory.
Catch the bailout, clear the variable, then continue bailing.
Closes https://bugs.php.net/bug.php?id=73188
- Standard:
. Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
+ . Fixed bug #73188 (use after free in userspace streams). (Sara)
13 Oct 2016, PHP 5.6.27
--- /dev/null
+--TEST--
+E_ERROR during UserStream Open
+--FILE--
+<?php
+
+class FailStream {
+ public function stream_open($path, $mode, $options, &$opened_path) {
+ _some_undefined_function();
+ }
+}
+stream_wrapper_register('mystream', 'FailStream');
+fopen('mystream://foo', 'r');
+echo 'Done';
+
+--EXPECTF--
+Fatal error: Call to undefined function _some_undefined_function() in %s/user-stream-error.php on line %d
MAKE_STD_ZVAL(zfuncname);
ZVAL_STRING(zfuncname, USERSTREAM_OPEN, 1);
- call_result = call_user_function_ex(NULL,
- &us->object,
- zfuncname,
- &zretval,
- 4, args,
- 0, NULL TSRMLS_CC);
+ zend_try {
+ call_result = call_user_function_ex(NULL,
+ &us->object,
+ zfuncname,
+ &zretval,
+ 4, args,
+ 0, NULL TSRMLS_CC);
+ } zend_catch {
+ FG(user_stream_current_filename) = NULL;
+ zend_bailout();
+ } zend_end_try();
if (call_result == SUCCESS && zretval != NULL && zval_is_true(zretval)) {
/* the stream is now open! */
projects / php / commitdiff