Fixed bug #72165 Null pointer dereference - openssl_csr_new

2 files changed, 26 insertions, 3 deletions

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 4a096f779a..44b3fa4985 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -2764,12 +2764,18 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
 			}
 		}
 		if (attribs) {
-			ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(attribs), strindex, item) {
+			zend_long numindex;
+			ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(attribs), numindex, strindex, item) {
 				int nid;
 
 				convert_to_string_ex(item);
-
-				nid = OBJ_txt2nid(ZSTR_VAL(strindex));
+				if (NULL == strindex) {
+					char tmp[ZEND_LTOA_BUF_LEN];
+					ZEND_LTOA(numindex, tmp, ZEND_LTOA_BUF_LEN);
+					nid = OBJ_txt2nid(tmp);
+				} else {
+					nid = OBJ_txt2nid(ZSTR_VAL(strindex));
+				}
 				if (nid != NID_undef) {
 					if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*)Z_STRVAL_P(item), -1, -1, 0)) {
 						php_error_docref(NULL, E_WARNING, "attribs: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_P(item));
diff --git a/ext/openssl/tests/bug72165.phpt b/ext/openssl/tests/bug72165.phpt
new file mode 100644
index 0000000000..c7e0d1a7c6
--- /dev/null
+++ b/ext/openssl/tests/bug72165.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72165 Null pointer dereference - openssl_csr_new
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip"); 
+?>
+--FILE--
+<?php
+$var0 = array(0 => "hello", 1 => "world");
+$var2 = openssl_csr_new(array(0),$var0,null,array(0));
+?>
+==DONE==
+--EXPECTF--
+Warning: openssl_csr_new(): dn:  is not a recognized name in %sbug72165.php on line %d
+
+Warning: openssl_csr_new(): add1_attr_by_txt challengePassword_min -> 4 (failed; check error queue and value of string_mask OpenSSL option if illegal characters are reported) in %sbug72165.php on line %d
+==DONE==