From: Pierre Joye Date: Sun, 30 Jul 2006 16:26:20 +0000 (+0000) Subject: - 38261: openssl_x509_parse leaks with invalid certs X-Git-Tag: php-5.2.0RC2~148 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5def392ce1207eee2c12f51479099829d24ba078;p=php - 38261: openssl_x509_parse leaks with invalid certs --- diff --git a/NEWS b/NEWS index b39a16eaa5..24aca2de7c 100644 --- a/NEWS +++ b/NEWS @@ -19,6 +19,7 @@ PHP NEWS - Fixed phpinfo() cutoff of variables at \0. (Ilia) - Fixed a bug in the filter extension that prevented magic_quotes_gpc from being applied when RAW filter is used. (Ilia) +- Fixed bug #38261 (openssl_x509_parse() leaks with invalid cert) (Pierre) - Fixed bug #38255 (openssl possible leaks while passing keys) (Pierre) - Fixed bug #38253 (PDO produces segfault with default fetch mode). (Tony) - Fixed bug #38236 (Binary data gets corrupted on multipart/formdata POST). diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 5c73137c3c..293574ee6d 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -784,6 +784,11 @@ static X509 * php_openssl_x509_from_zval(zval ** val, int makeresource, long * r return NULL; } + + if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) { + return NULL; + } + /* force it to be a string and check if it refers to a file */ convert_to_string_ex(val); diff --git a/ext/openssl/tests/bug38261.phpt b/ext/openssl/tests/bug38261.phpt new file mode 100644 index 0000000000..e7d806083e --- /dev/null +++ b/ext/openssl/tests/bug38261.phpt @@ -0,0 +1,34 @@ +--TEST-- +openssl key from zval leaks +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +bool(false) +bool(false) +bool(false) + +Warning: openssl_x509_parse() expects at least 1 parameter, 0 given in %s/bug38261.php on line %d +NULL +bool(false) + +Catchable fatal error: Object of class stdClass could not be converted to string in %s/bug38261.php on line %d