php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-17938: UAF with zend_test opline observer and magic_quotes_gpc=1 (#17958)

Browse Source
This commit is contained in:
Niels Dossche
2025-03-03 08:20:48 +01:00
committed by GitHub
parent ce8ab5f16a
commit 504056888c
1 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
ext/zend_test/test.c
View File

@@ -666,6 +666,15 @@ void * zend_test_custom_realloc(void * ptr, size_t len)
return _zend_mm_realloc(ZT_G(zend_orig_heap), ptr, len ZEND_FILE_LINE_EMPTY_CC ZEND_FILE_LINE_EMPTY_CC);
}
static void zend_test_reset_heap(zend_zend_test_globals *zend_test_globals)
{
if (zend_test_globals->zend_test_heap) {
free(zend_test_globals->zend_test_heap);
zend_test_globals->zend_test_heap = NULL;
zend_mm_set_heap(zend_test_globals->zend_orig_heap);
}
}
static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)
{
if (new_value == NULL) {
@@ -687,10 +696,8 @@ static PHP_INI_MH(OnUpdateZendTestObserveOplineInZendMM)
);
ZT_G(zend_orig_heap) = zend_mm_get_heap();
zend_mm_set_heap(ZT_G(zend_test_heap));
} else if (ZT_G(zend_test_heap)) {
free(ZT_G(zend_test_heap));
ZT_G(zend_test_heap) = NULL;
zend_mm_set_heap(ZT_G(zend_orig_heap));
} else {
zend_test_reset_heap(ZEND_MODULE_GLOBALS_BULK(zend_test));
}
return OnUpdateBool(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
}
@@ -1339,6 +1346,7 @@ static PHP_GINIT_FUNCTION(zend_test)
static PHP_GSHUTDOWN_FUNCTION(zend_test)
{
zend_test_observer_gshutdown(zend_test_globals);
zend_test_reset_heap(zend_test_globals);
}
PHP_MINFO_FUNCTION(zend_test)