From: Xinchen Hui <laruence@gmail.com>
Date: Mon, 10 Feb 2020 05:01:51 +0000 (+0800)
Subject: Fixed bug #79244 (php crashes during parsing INI file). (Laruence)
X-Git-Tag: php-7.4.7RC1~214
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6295ff77b780705d132b15990c2904d2fe596e57;p=php

Fixed bug #79244 (php crashes during parsing INI file). (Laruence)

Cherry-picked the fix(not sure why this wasn't merged to 7.4) for:
Fixed bug #77589 (Core dump using parse_ini_string with numeric sections)

Section name should not be typed(NULL, FALSE, TRUE etc)

Conflicts:

	Zend/zend_ini_scanner.c
---

diff --git a/NEWS b/NEWS
index bb58aa35c0..44c659ea93 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,9 @@ PHP                                                                        NEWS
 
 ?? ??? ????, PHP 7.4.4
 
+- Core:
+  . Fixed bug #79244 (php crashes during parsing INI file). (Laruence)
+
 - COM:
   . Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
     (cmb)
diff --git a/Zend/tests/bug77589.phpt b/Zend/tests/bug77589.phpt
new file mode 100644
index 0000000000..ad07ee1351
--- /dev/null
+++ b/Zend/tests/bug77589.phpt
@@ -0,0 +1,40 @@
+--TEST--
+BUG #77589 (Core dump using parse_ini_string with numeric sections)
+--FILE--
+<?php
+var_dump(
+	parse_ini_string(<<<INI
+[0]
+a = 1
+b = on
+c = true
+
+["true"]
+a = 100 
+b = null
+c = yes
+INI
+, TRUE, INI_SCANNER_TYPED));
+
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  array(3) {
+    ["a"]=>
+    int(1)
+    ["b"]=>
+    bool(true)
+    ["c"]=>
+    bool(true)
+  }
+  ["true"]=>
+  array(3) {
+    ["a"]=>
+    int(100)
+    ["b"]=>
+    NULL
+    ["c"]=>
+    bool(true)
+  }
+}
diff --git a/Zend/zend_ini_scanner.l b/Zend/zend_ini_scanner.l
index f71f0b9193..1f4bc34742 100644
--- a/Zend/zend_ini_scanner.l
+++ b/Zend/zend_ini_scanner.l
@@ -141,13 +141,14 @@ ZEND_API zend_ini_scanner_globals ini_scanner_globals;
 	ZVAL_NEW_STR(retval, zend_string_init(str, len, ZEND_SYSTEM_INI))
 
 
-#define RETURN_TOKEN(type, str, len) {                       \
-	if (SCNG(scanner_mode) == ZEND_INI_SCANNER_TYPED) {      \
-		zend_ini_copy_typed_value(ini_lval, type, str, len); \
-	} else {                                                 \
-		zend_ini_copy_value(ini_lval, str, len);             \
-	}                                                        \
-	return type;                                             \
+#define RETURN_TOKEN(type, str, len) {                             \
+	if (SCNG(scanner_mode) == ZEND_INI_SCANNER_TYPED &&            \
+		(YYSTATE == STATE(ST_VALUE) || YYSTATE == STATE(ST_RAW))) {\
+		zend_ini_copy_typed_value(ini_lval, type, str, len);       \
+	} else {                                                       \
+		zend_ini_copy_value(ini_lval, str, len);                   \
+	}                                                              \
+	return type;                                                   \
 }
 
 static inline int convert_to_number(zval *retval, const char *str, const int str_len)