fix bug #31454 (session_set_save_handler crashes PHP when supplied non-existent objec...

author Antony Dovgal <tony2001@php.net>

Sun, 9 Jan 2005 17:42:02 +0000 (17:42 +0000)

committer Antony Dovgal <tony2001@php.net>

Sun, 9 Jan 2005 17:42:02 +0000 (17:42 +0000)
author Antony Dovgal <tony2001@php.net>
Sun, 9 Jan 2005 17:42:02 +0000 (17:42 +0000)
committer Antony Dovgal <tony2001@php.net>
Sun, 9 Jan 2005 17:42:02 +0000 (17:42 +0000)
diff --git a/ext/session/session.c b/ext/session/session.c

index 26181a87ddf73f331bdfd284f109ced86360935a..c673412d06243c19f3535aea67b7421600d26ea1 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1361,6 +1361,7 @@ PHP_FUNCTION(session_set_save_handler)
         zval **args[6];
         int i;
         ps_user *mdata;
+       char *name;
  
         if (ZEND_NUM_ARGS() != 6 || zend_get_parameters_array_ex(6, args) == FAILURE)
                 WRONG_PARAM_COUNT;
@@ -1368,6 +1369,14 @@ PHP_FUNCTION(session_set_save_handler)
         if (PS(session_status) != php_session_none) 
                 RETURN_FALSE;
         
+       for (i = 0; i < 6; i++) {
+               if (!zend_is_callable(*args[i], 0, &name)) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument %d is not a valid callback", i+1);
+                       efree(name);
+                       RETURN_FALSE;
+               }               
+       }
+       
         zend_alter_ini_entry("session.save_handler", sizeof("session.save_handler"), "user", sizeof("user")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
  
         mdata = emalloc(sizeof(*mdata));
author	Antony Dovgal <tony2001@php.net>
	Sun, 9 Jan 2005 17:42:02 +0000 (17:42 +0000)
committer	Antony Dovgal <tony2001@php.net>
	Sun, 9 Jan 2005 17:42:02 +0000 (17:42 +0000)