From: Anatol Belski <ab@php.net>
Date: Wed, 11 Nov 2015 23:52:36 +0000 (+0100)
Subject: Fixed bug Bug #70895 null ptr deref and segfault
X-Git-Tag: php-7.0.1RC1~101
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8eef11d3179fe7c6fed8393c1bbae96fcab05c49;p=php

Fixed bug Bug #70895 null ptr deref and segfault
---

diff --git a/Zend/tests/bug70895.phpt b/Zend/tests/bug70895.phpt
new file mode 100644
index 0000000000..e6df09c9ac
--- /dev/null
+++ b/Zend/tests/bug70895.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #70895 null ptr deref and segfault with crafted calable
+--FILE--
+<?php
+
+array_map("%n", 0);
+array_map("%n %i", 0);
+array_map("%n %i aoeu %f aoeu %p", 0);
+?>
+--EXPECTREGEX--
+Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n' not found or invalid function name in .+
+
+Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n %i' not found or invalid function name in .+
+
+Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n %i aoeu %f aoeu %p' not found or invalid function name in .+bug70895.php on line \d+
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 5a488f7e9d..0abaccd3ec 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -2989,7 +2989,28 @@ static int zend_is_callable_check_func(int check_flags, zval *callable, zend_fca
 	} else {
 		/* We already checked for plain function before. */
 		if (error && !(check_flags & IS_CALLABLE_CHECK_SILENT)) {
-			zend_spprintf(error, 0, "function '%s' not found or invalid function name", Z_STRVAL_P(callable));
+			size_t callable_name_len = Z_STRLEN_P(callable), sanitized_callable_name_len = Z_STRLEN_P(callable), k = 0, n = 0;
+			char *callable_name = Z_STRVAL_P(callable), *sanitized_callable_name = emalloc(sizeof(char) * callable_name_len);
+
+			while (k < callable_name_len) {
+				sanitized_callable_name[n] = callable_name[k];
+				if ('%' == callable_name[k]) {
+					n++;
+					sanitized_callable_name[n] = '%';
+				}
+				k++;
+				n++;
+
+				if (n == sanitized_callable_name_len) {
+					sanitized_callable_name_len += callable_name_len - k;
+					sanitized_callable_name = erealloc(sanitized_callable_name, sanitized_callable_name_len);
+				}
+			}
+			sanitized_callable_name[n] = '\0';
+
+			zend_spprintf(error, 0, "function '%s' not found or invalid function name", sanitized_callable_name);
+
+			efree(sanitized_callable_name);
 		}
 		return 0;
 	}