From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 12 Apr 2019 08:49:56 +0000 (+0200)
Subject: Fix uninitializde heredoc_tag use in readline
X-Git-Tag: php-7.4.0alpha1~529
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e5edbd0fe611c87363db5fc98fdb6e5177c00b11;p=php

Fix uninitializde heredoc_tag use in readline

Could happen if "<<<" is directly followed by a newline.
---

diff --git a/ext/readline/readline_cli.c b/ext/readline/readline_cli.c
index 1629ed012e..053954955c 100644
--- a/ext/readline/readline_cli.c
+++ b/ext/readline/readline_cli.c
@@ -210,7 +210,7 @@ static int cli_is_valid_code(char *code, size_t len, zend_string **prompt) /* {{
 	int brace_count = 0;
 	size_t i;
 	php_code_type code_type = body;
-	char *heredoc_tag;
+	char *heredoc_tag = NULL;
 	size_t heredoc_len;
 
 	for (i = 0; i < len; ++i) {
@@ -282,6 +282,7 @@ static int cli_is_valid_code(char *code, size_t len, zend_string **prompt) /* {{
 						if (i + 2 < len && code[i+1] == '<' && code[i+2] == '<') {
 							i += 2;
 							code_type = heredoc_start;
+							heredoc_tag = NULL;
 							heredoc_len = 0;
 						}
 						break;
@@ -333,10 +334,15 @@ static int cli_is_valid_code(char *code, size_t len, zend_string **prompt) /* {{
 						break;
 					case '\r':
 					case '\n':
-						code_type = heredoc;
+						if (heredoc_tag) {
+							code_type = heredoc;
+						} else {
+							/* Malformed heredoc without label */
+							code_type = body;
+						}
 						break;
 					default:
-						if (!heredoc_len) {
+						if (!heredoc_tag) {
 							heredoc_tag = code+i;
 						}
 						heredoc_len++;
@@ -344,6 +350,7 @@ static int cli_is_valid_code(char *code, size_t len, zend_string **prompt) /* {{
 				}
 				break;
 			case heredoc:
+				ZEND_ASSERT(heredoc_tag);
 				if (code[i - (heredoc_len + 1)] == '\n' && !strncmp(code + i - heredoc_len, heredoc_tag, heredoc_len) && code[i] == '\n') {
 					code_type = body;
 				} else if (code[i - (heredoc_len + 2)] == '\n' && !strncmp(code + i - heredoc_len - 1, heredoc_tag, heredoc_len) && code[i-1] == ';' && code[i] == '\n') {