From: Bob Weinand <bobwei9@hotmail.com>
Date: Sun, 28 Jun 2015 14:30:58 +0000 (+0200)
Subject: Fix bug #69952 (Dereferencing issue in session_start())
X-Git-Tag: php-7.1.0alpha3~25^2~146
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b477aa1fad6cac41ee6959921b229cb3dba79e6e;p=php

Fix bug #69952 (Dereferencing issue in session_start())
---

diff --git a/NEWS b/NEWS
index 71c9b57466..248c285a67 100644
--- a/NEWS
+++ b/NEWS
@@ -16,13 +16,17 @@ PHP                                                                        NEWS
   . Corrected oci8 hash destructors to prevent segfaults, and a few other fixes.
     (Cameron Porter)
 
+- OpenSSL:
+  . Fixed bug #69882 (OpenSSL error "key values mismatch" after
+    openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
+
 - PCRE:
   . Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the
     string). (cmb)
 
-- OpenSSL:
-  . Fixed bug #69882 (OpenSSL error "key values mismatch" after
-    openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
+- Session:
+  . Fixed bug #69952 (Data integrity issues accessing superglobals by
+    reference). (Bob)
 
 25 Jun 2015, PHP 7.0.0 Alpha 2
 
diff --git a/ext/session/session.c b/ext/session/session.c
index 66b1a8628b..819008c5bb 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1436,6 +1436,7 @@ PHPAPI const ps_serializer *_php_find_ps_serializer(char *name) /* {{{ */
 /* }}} */
 
 static void ppid2sid(zval *ppid) {
+	ZVAL_DEREF(ppid);
 	if (Z_TYPE_P(ppid) == IS_STRING) {
 		PS(id) = zend_string_init(Z_STRVAL_P(ppid), Z_STRLEN_P(ppid), 0);
 		PS(send_cookie) = 0;
@@ -1547,28 +1548,26 @@ PHPAPI void php_session_start(void) /* {{{ */
 	 */
 
 	if (!PS(id)) {
-		if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1)) &&
-				Z_TYPE_P(data) == IS_ARRAY &&
-				(ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))
-		) {
-			ppid2sid(ppid);
-			PS(send_cookie) = 0;
+		if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1))) {
+			ZVAL_DEREF(data);
+			if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+				ppid2sid(ppid);
+				PS(send_cookie) = 0;
+			}
 		}
 
-		if (PS(define_sid) && !PS(id) &&
-				(data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1)) &&
-				Z_TYPE_P(data) == IS_ARRAY &&
-				(ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))
-		) {
-			ppid2sid(ppid);
+		if (PS(define_sid) && !PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1))) {
+			ZVAL_DEREF(data);
+			if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+				ppid2sid(ppid);
+			}
 		}
 
-		if (PS(define_sid) && !PS(id) &&
-				(data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1)) &&
-				Z_TYPE_P(data) == IS_ARRAY &&
-				(ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))
-		) {
-			ppid2sid(ppid);
+		if (PS(define_sid) && !PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1))) {
+			ZVAL_DEREF(data);
+			if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+				ppid2sid(ppid);
+			}
 		}
 
 		/* Check the REQUEST_URI symbol for a string of the form