php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.4' into PHP-8.5

Browse Source 
* PHP-8.4:
  Fix memory leak in shm_get_var() when variable is corrupted
This commit is contained in:
ndossche
2026-03-10 20:30:31 +01:00
parent 3b8aac8dad ea8aab9220
commit 14f0f8650c
3 changed files with 46 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@@ -35,6 +35,9 @@ PHP NEWS
. Fixed bug GH-20627 (Cannot identify some avif images with getimagesize). . Fixed bug GH-20627 (Cannot identify some avif images with getimagesize).
(y-guyon) (y-guyon)
- Sysvshm:
. Fix memory leak in shm_get_var() when variable is corrupted. (ndossche)
12 Mar 2026, PHP 8.5.4 12 Mar 2026, PHP 8.5.4
- Core: - Core:

10
ext/sysvshm/sysvshm.c
View File

@@ -311,11 +311,13 @@ PHP_FUNCTION(shm_get_var)
shm_data = &shm_var->mem; shm_data = &shm_var->mem;
PHP_VAR_UNSERIALIZE_INIT(var_hash); PHP_VAR_UNSERIALIZE_INIT(var_hash);
if (php_var_unserialize(return_value, (const unsigned char **) &shm_data, (unsigned char *) shm_data + shm_var->length, &var_hash) != 1) { int res = php_var_unserialize(return_value, (const unsigned char **) &shm_data, (unsigned char *) shm_data + shm_var->length, &var_hash);
php_error_docref(NULL, E_WARNING, "Variable data in shared memory is corrupted");
RETVAL_FALSE;
}
PHP_VAR_UNSERIALIZE_DESTROY(var_hash); PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
if (res != 1) {
php_error_docref(NULL, E_WARNING, "Variable data in shared memory is corrupted");
zval_ptr_dtor(return_value);
RETURN_FALSE;
}
} }
/* }}} */ /* }}} */

37
ext/sysvshm/tests/shm_get_var_leak.phpt Normal file
View File

@@ -0,0 +1,37 @@
--TEST--
shm_get_var() leaks if variable is corrupted
--EXTENSIONS--
sysvshm
ffi
--INI--
ffi.enable=1
--SKIPIF--
<?php
if (!function_exists('ftok')) die('skip needs ftok');
if (PHP_INT_SIZE !== 8) die('skip only for 64-bit');
if (PHP_OS_FAMILY !== 'Linux') die('skip only for decent operating systems');
?>
--FILE--
<?php
$key = ftok(__FILE__, 't');
$s = shm_attach($key, 128);
shm_put_var($s, 0, [1, 2]);
$ffi = FFI::cdef(<<<CODE
int shmget(int, size_t, int);
char *shmat(int, const void *, int);
CODE);
$ptr = $ffi->shmat($ffi->shmget($key, 0, 0), $ffi->new('void *'), 0);
$ptr[0x40 + 13] = 0; // Corrupt first byte of second element of serialized data
var_dump(shm_get_var($s, 0));
shm_remove($s);
?>
--EXPECTF--
Warning: shm_get_var(): Variable data in shared memory is corrupted in %s on line %d
bool(false)