Skip to content

Instantly share code, notes, and snippets.

@cmb69

cmb69/.patch Secret

Created Jan 4, 2022
Embed
What would you like to do?
PHP bug #81705
Zend/tests/bug81705.phpt | 18 ++++++++++++++++++
Zend/zend_operators.c | 7 +++++++
2 files changed, 25 insertions(+)
diff --git a/Zend/tests/bug81705.phpt b/Zend/tests/bug81705.phpt
new file mode 100644
index 0000000000..00e0b8e5ef
--- /dev/nullFrom 5514483d4e8af8d562deac1535dfb2924263b5c7 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 4 Jan 2022 13:21:01 +0100
Subject: [PATCH] Fix #81705: type confusion in concat_function
A userland error handler might change `op1` or `op2`, so we make sure
both are strings before we assume they are. Otherwise we bail out.
---
Zend/tests/bug81705.phpt | 18 ++++++++++++++++++
Zend/zend_operators.c | 7 +++++++
2 files changed, 25 insertions(+)
create mode 100644 Zend/tests/bug81705.phpt
diff --git a/Zend/tests/bug81705.phpt b/Zend/tests/bug81705.phpt
new file mode 100644
index 0000000000..00e0b8e5ef
--- /dev/null
+++ b/Zend/tests/bug81705.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #81705 (type confusion in concat_function)
+--FILE--
+<?php
+$arr = [0];
+$my_var = str_repeat("a", 1);
+set_error_handler(
+ function() use(&$my_var) {
+ echo("error\n");
+ $my_var = 0x123;
+ }
+);
+$my_var .= $GLOBALS["arr"];
+var_dump($my_var);
+?>
+--EXPECT--
+error
+int(291)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index acda841979..fb172f13c4 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1862,6 +1862,13 @@ ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval
}
} while (0);
+ if (UNEXPECTED(Z_TYPE_P(op1) != IS_STRING || Z_TYPE_P(op2) != IS_STRING)) {
+ if (orig_op1 != result) {
+ ZVAL_UNDEF(result);
+ }
+ return FAILURE;
+ }
+
if (UNEXPECTED(Z_STRLEN_P(op1) == 0)) {
if (EXPECTED(result != op2)) {
if (result == orig_op1) {
--
2.34.1.windows.1
+++ b/Zend/tests/bug81705.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #81705 (type confusion in concat_function)
+--FILE--
+<?php
+$arr = [0];
+$my_var = str_repeat("a", 1);
+set_error_handler(
+ function() use(&$my_var) {
+ echo("error\n");
+ $my_var = 0x123;
+ }
+);
+$my_var .= $GLOBALS["arr"];
+var_dump($my_var);
+?>
+--EXPECT--
+error
+int(291)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index acda841979..fb172f13c4 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1862,6 +1862,13 @@ ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval
}
} while (0);
+ if (UNEXPECTED(Z_TYPE_P(op1) != IS_STRING || Z_TYPE_P(op2) != IS_STRING)) {
+ if (orig_op1 != result) {
+ ZVAL_UNDEF(result);
+ }
+ return FAILURE;
+ }
+
if (UNEXPECTED(Z_STRLEN_P(op1) == 0)) {
if (EXPECTED(result != op2)) {
if (result == orig_op1) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment