Fixed bug #79244 (php crashes during parsing INI file). (Laruence)

Cherry-picked the fix(not sure why this wasn't merged to 7.4) for:
Fixed bug #77589 (Core dump using parse_ini_string with numeric sections)

Section name should not be typed(NULL, FALSE, TRUE etc)

Conflicts:

	Zend/zend_ini_scanner.c

diff --git a/NEWS b/NEWS
index bb58aa35c04abcc8227905fcc78dc3aa735caac5..44c659ea93a193e1ada5b2e9458c8162d34bcbae 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,9 @@ PHP                                                                        NEWS
 
 ?? ??? ????, PHP 7.4.4
 
+- Core:
+  . Fixed bug #79244 (php crashes during parsing INI file). (Laruence)
+
 - COM:
   . Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
     (cmb)

diff --git a/Zend/tests/bug77589.phpt b/Zend/tests/bug77589.phpt
new file mode 100644 (file)
index 0000000..ad07ee1
--- /dev/null
+++ b/Zend/tests/bug77589.phpt
@@ -0,0 +1,40 @@
+--TEST--
+BUG #77589 (Core dump using parse_ini_string with numeric sections)
+--FILE--
+<?php
+var_dump(
+       parse_ini_string(<<<INI
+[0]
+a = 1
+b = on
+c = true
+
+["true"]
+a = 100 
+b = null
+c = yes
+INI
+, TRUE, INI_SCANNER_TYPED));
+
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  array(3) {
+    ["a"]=>
+    int(1)
+    ["b"]=>
+    bool(true)
+    ["c"]=>
+    bool(true)
+  }
+  ["true"]=>
+  array(3) {
+    ["a"]=>
+    int(100)
+    ["b"]=>
+    NULL
+    ["c"]=>
+    bool(true)
+  }
+}

diff --git a/Zend/zend_ini_scanner.l b/Zend/zend_ini_scanner.l
index f71f0b9193e9c7cdf6e507a6f76d243a12bb3b6d..1f4bc34742bce653d8666f49c8db20c5ab075b52 100644 (file)
--- a/Zend/zend_ini_scanner.l
+++ b/Zend/zend_ini_scanner.l
@@ -141,13 +141,14 @@ ZEND_API zend_ini_scanner_globals ini_scanner_globals;
        ZVAL_NEW_STR(retval, zend_string_init(str, len, ZEND_SYSTEM_INI))
 
 
-#define RETURN_TOKEN(type, str, len) {                       \
-       if (SCNG(scanner_mode) == ZEND_INI_SCANNER_TYPED) {      \
-               zend_ini_copy_typed_value(ini_lval, type, str, len); \
-       } else {                                                 \
-               zend_ini_copy_value(ini_lval, str, len);             \
-       }                                                        \
-       return type;                                             \
+#define RETURN_TOKEN(type, str, len) {                             \
+       if (SCNG(scanner_mode) == ZEND_INI_SCANNER_TYPED &&            \
+               (YYSTATE == STATE(ST_VALUE) || YYSTATE == STATE(ST_RAW))) {\
+               zend_ini_copy_typed_value(ini_lval, type, str, len);       \
+       } else {                                                       \
+               zend_ini_copy_value(ini_lval, str, len);                   \
+       }                                                              \
+       return type;                                                   \
 }
 
 static inline int convert_to_number(zval *retval, const char *str, const int str_len)