Fixed bug #72858 shm_attach null dereference

diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
index 6eba067c06e47248a902a69fa117c95608e38b09..ab20e1f98bb9f329664624c82166fabcc5db527e 100644 (file)
--- a/TSRM/tsrm_win32.c
+++ b/TSRM/tsrm_win32.c
@@ -665,6 +665,7 @@ TSRM_API int shmget(int key, int size, int flags)
 TSRM_API void *shmat(int key, const void *shmaddr, int flags)
 {
        shm_pair *shm = shm_get(key, NULL);
+       int err;
 
        if (!shm->segment) {
                return (void*)-1;
@@ -676,6 +677,15 @@ TSRM_API void *shmat(int key, const void *shmaddr, int flags)
 
        shm->addr = MapViewOfFileEx(shm->segment, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
 
+       err = GetLastError();
+       if (err) {
+               /* Catch more errors */
+               if (ERROR_NOT_ENOUGH_MEMORY == err) {
+                       _set_errno(ENOMEM);
+               }
+               return (void*)-1;
+       }
+
        return shm->addr;
 }
 

diff --git a/ext/sysvshm/tests/bug72858.phpt b/ext/sysvshm/tests/bug72858.phpt
new file mode 100644 (file)
index 0000000..087329e
--- /dev/null
+++ b/ext/sysvshm/tests/bug72858.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #72858 shm_attach null dereference
+--SKIPIF--
+<?php
+if (!extension_loaded("sysvshm")){ print 'skip'; }
+if (4 < PHP_INT_SIZE) { print "skip 32-bit only"; }
+if( substr(PHP_OS, 0, 3) != "WIN" ) { print "skip windows only" }
+?>
+--FILE--
+<?php
+
+$v1=100;
+$v2=0xffffffff / 4 + 0x1337;
+shm_attach($v1,$v2);
+
+?>
+==DONE==
+--EXPECTF--    
+Warning: shm_attach(): failed for key 0x64: Not enough space in %s on line %d
+==DONE==