Fixed bug #24592 (Possible crash in session extnsion, with NULL values)

diff --git a/ext/session/session.c b/ext/session/session.c
index 066c4e90cf9aff25bcb768678ff43ed64bb7e9b0..f35fd9b4540f2f9c450c5b5e09c4de9218e38d51 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -734,9 +734,12 @@ static int migrate_global(HashTable *ht, HashPosition *pos TSRMLS_DC)
 
        switch (n) {
                case HASH_KEY_IS_STRING:
-                       zend_hash_find(&EG(symbol_table), str, str_len, (void **) &val);
-                       if (val) {
-                               ZEND_SET_SYMBOL_WITH_LENGTH(ht, str, str_len, *val, (*val)->refcount + 1 , 1);
+                       if (zend_hash_find(&EG(symbol_table), str, str_len, (void **) &val) == SUCCESS && val) {
+                               if (!PZVAL_IS_REF(*val)) {
+                                       (*val)->is_ref = 1;
+                                       (*val)->refcount += 1;
+                                       zend_hash_update(ht, str, str_len, val, sizeof(zval *), NULL);
+                               }
                                ret = 1;
                        }
                        break;

diff --git a/ext/session/tests/bug24592.phpt b/ext/session/tests/bug24592.phpt
new file mode 100644 (file)
index 0000000..9f94c3b
--- /dev/null
+++ b/ext/session/tests/bug24592.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #24592 (crash when multiple NULL values are being stored)
+--INI--
+register_globals=0
+html_errors=0
+--FILE--
+<?php
+@session_start();
+        
+$foo = $_SESSION['foo'];
+$bar = $_SESSION['bar'];
+                        
+var_dump($foo, $bar, $_SESSION);
+
+$_SESSION['foo'] = $foo;
+$_SESSION['bar'] = $bar;
+                                        
+var_dump($_SESSION);
+?>
+--EXPECTF--
+Notice: Undefined index:  foo in %s on line %d
+
+Notice: Undefined index:  bar in %s on line %d
+NULL
+NULL
+array(0) {
+}
+array(2) {
+  ["foo"]=>
+  NULL
+  ["bar"]=>
+  NULL
+}