From: Sara Golemon <pollita@php.net>
Date: Wed, 12 Oct 2016 04:14:25 +0000 (-0700)
Subject: Clear FG(user_stream_current_filename) when bailing out
X-Git-Tag: php-5.6.28RC1~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=43ccf23d700ae780451e257f5a66d4210f82f026;p=php

Clear FG(user_stream_current_filename) when bailing out

If a userwrapper opener E_ERRORs then FG(user_stream_current_filename)
would remain set until the next request and would not be pointing
at unallocated memory.

Catch the bailout, clear the variable, then continue bailing.

Closes https://bugs.php.net/bug.php?id=73188
---

diff --git a/NEWS b/NEWS
index cf765ff3dc..d9e6b4c1d3 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,7 @@ PHP                                                                        NEWS
 
 - Standard:
   . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
+  . Fixed bug #73188 (use after free in userspace streams). (Sara)
 
 13 Oct 2016, PHP 5.6.27
 
diff --git a/ext/standard/tests/streams/user-stream-error.phpt b/ext/standard/tests/streams/user-stream-error.phpt
new file mode 100644
index 0000000000..e7351b4916
--- /dev/null
+++ b/ext/standard/tests/streams/user-stream-error.phpt
@@ -0,0 +1,16 @@
+--TEST--
+E_ERROR during UserStream Open
+--FILE--
+<?php
+
+class FailStream {
+  public function stream_open($path, $mode, $options, &$opened_path) {
+    _some_undefined_function();
+  }
+}
+stream_wrapper_register('mystream', 'FailStream');
+fopen('mystream://foo', 'r');
+echo 'Done';
+
+--EXPECTF--
+Fatal error: Call to undefined function _some_undefined_function() in %s/user-stream-error.php on line %d
diff --git a/main/streams/userspace.c b/main/streams/userspace.c
index e65f605b12..37c0a176ed 100644
--- a/main/streams/userspace.c
+++ b/main/streams/userspace.c
@@ -394,12 +394,17 @@ static php_stream *user_wrapper_opener(php_stream_wrapper *wrapper, const char *
 	MAKE_STD_ZVAL(zfuncname);
 	ZVAL_STRING(zfuncname, USERSTREAM_OPEN, 1);
 
-	call_result = call_user_function_ex(NULL,
-			&us->object,
-			zfuncname,
-			&zretval,
-			4, args,
-			0, NULL	TSRMLS_CC);
+	zend_try {
+		call_result = call_user_function_ex(NULL,
+				&us->object,
+				zfuncname,
+				&zretval,
+				4, args,
+				0, NULL	TSRMLS_CC);
+	} zend_catch {
+		FG(user_stream_current_filename) = NULL;
+		zend_bailout();
+	} zend_end_try();
 
 	if (call_result == SUCCESS && zretval != NULL && zval_is_true(zretval)) {
 		/* the stream is now open! */