From 1a5d58b28fe96e82836c627bc833499707ac4ec5 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Thu, 5 May 2016 11:12:17 +0800 Subject: [PATCH] Fixed bug #72157 (use-after-free caused by dba_open) --- NEWS | 3 +++ ext/dba/dba.c | 6 +----- ext/dba/tests/bug72157.phpt | 22 ++++++++++++++++++++++ 3 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 ext/dba/tests/bug72157.phpt diff --git a/NEWS b/NEWS index fcb4a8d41e..d45eb32438 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,9 @@ PHP NEWS - Curl: . Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick) +- DBA: + . Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence) + - JSON: . Fixed bug #72069 (Behavior \JsonSerializable different from json_encode). (Laruence) diff --git a/ext/dba/dba.c b/ext/dba/dba.c index e4776e734e..fd4522b9d6 100644 --- a/ext/dba/dba.c +++ b/ext/dba/dba.c @@ -658,11 +658,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, int persistent) /* we only take string arguments */ for (i = 0; i < ac; i++) { - if (Z_TYPE(args[i]) != IS_STRING) { - convert_to_string_ex(&args[i]); - } else if (Z_REFCOUNTED(args[i])) { - Z_ADDREF(args[i]); - } + ZVAL_STR(&args[i], zval_get_string(&args[i])); keylen += Z_STRLEN(args[i]); } diff --git a/ext/dba/tests/bug72157.phpt b/ext/dba/tests/bug72157.phpt new file mode 100644 index 0000000000..7b3217012a --- /dev/null +++ b/ext/dba/tests/bug72157.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #72157 (use-after-free caused by dba_open) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d + +Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d + +Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d + +Warning: dba_open(Resource id #5,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d -- 2.40.0