-
-
Save cmb69/05f18d11ac5cf4c70d3514f24787f087 to your computer and use it in GitHub Desktop.
PHP bug #81705
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Zend/tests/bug81705.phpt | 18 ++++++++++++++++++ | |
Zend/zend_operators.c | 7 +++++++ | |
2 files changed, 25 insertions(+) | |
diff --git a/Zend/tests/bug81705.phpt b/Zend/tests/bug81705.phpt | |
new file mode 100644 | |
index 0000000000..00e0b8e5ef | |
--- /dev/nullFrom 5514483d4e8af8d562deac1535dfb2924263b5c7 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Tue, 4 Jan 2022 13:21:01 +0100 | |
Subject: [PATCH] Fix #81705: type confusion in concat_function | |
A userland error handler might change `op1` or `op2`, so we make sure | |
both are strings before we assume they are. Otherwise we bail out. | |
--- | |
Zend/tests/bug81705.phpt | 18 ++++++++++++++++++ | |
Zend/zend_operators.c | 7 +++++++ | |
2 files changed, 25 insertions(+) | |
create mode 100644 Zend/tests/bug81705.phpt | |
diff --git a/Zend/tests/bug81705.phpt b/Zend/tests/bug81705.phpt | |
new file mode 100644 | |
index 0000000000..00e0b8e5ef | |
--- /dev/null | |
+++ b/Zend/tests/bug81705.phpt | |
@@ -0,0 +1,18 @@ | |
+--TEST-- | |
+Bug #81705 (type confusion in concat_function) | |
+--FILE-- | |
+<?php | |
+$arr = [0]; | |
+$my_var = str_repeat("a", 1); | |
+set_error_handler( | |
+ function() use(&$my_var) { | |
+ echo("error\n"); | |
+ $my_var = 0x123; | |
+ } | |
+); | |
+$my_var .= $GLOBALS["arr"]; | |
+var_dump($my_var); | |
+?> | |
+--EXPECT-- | |
+error | |
+int(291) | |
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c | |
index acda841979..fb172f13c4 100644 | |
--- a/Zend/zend_operators.c | |
+++ b/Zend/zend_operators.c | |
@@ -1862,6 +1862,13 @@ ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval | |
} | |
} while (0); | |
+ if (UNEXPECTED(Z_TYPE_P(op1) != IS_STRING || Z_TYPE_P(op2) != IS_STRING)) { | |
+ if (orig_op1 != result) { | |
+ ZVAL_UNDEF(result); | |
+ } | |
+ return FAILURE; | |
+ } | |
+ | |
if (UNEXPECTED(Z_STRLEN_P(op1) == 0)) { | |
if (EXPECTED(result != op2)) { | |
if (result == orig_op1) { | |
-- | |
2.34.1.windows.1 | |
+++ b/Zend/tests/bug81705.phpt | |
@@ -0,0 +1,18 @@ | |
+--TEST-- | |
+Bug #81705 (type confusion in concat_function) | |
+--FILE-- | |
+<?php | |
+$arr = [0]; | |
+$my_var = str_repeat("a", 1); | |
+set_error_handler( | |
+ function() use(&$my_var) { | |
+ echo("error\n"); | |
+ $my_var = 0x123; | |
+ } | |
+); | |
+$my_var .= $GLOBALS["arr"]; | |
+var_dump($my_var); | |
+?> | |
+--EXPECT-- | |
+error | |
+int(291) | |
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c | |
index acda841979..fb172f13c4 100644 | |
--- a/Zend/zend_operators.c | |
+++ b/Zend/zend_operators.c | |
@@ -1862,6 +1862,13 @@ ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval | |
} | |
} while (0); | |
+ if (UNEXPECTED(Z_TYPE_P(op1) != IS_STRING || Z_TYPE_P(op2) != IS_STRING)) { | |
+ if (orig_op1 != result) { | |
+ ZVAL_UNDEF(result); | |
+ } | |
+ return FAILURE; | |
+ } | |
+ | |
if (UNEXPECTED(Z_STRLEN_P(op1) == 0)) { | |
if (EXPECTED(result != op2)) { | |
if (result == orig_op1) { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment