diff options
| author | Anatol Belski <ab@php.net> | 2016-08-18 14:40:20 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-08-18 14:40:20 +0200 |
| commit | b81a073b856b6f12025013361e2567a82f9b99d0 (patch) | |
| tree | 5594cb3f911aa7cf063083f1b8f420167aad4b2b | |
| parent | a2ee13b5ea9c2b69661bf0e440091ccaceeb49f5 (diff) | |
| parent | 67f8c14c297cf2c3d1fdf9f5143603b6d09ebbc5 (diff) | |
| download | php-git-b81a073b856b6f12025013361e2567a82f9b99d0.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fixed bug #72858 shm_attach null dereference
| -rw-r--r-- | TSRM/tsrm_win32.c | 10 | ||||
| -rw-r--r-- | ext/sysvshm/tests/bug72858.phpt | 20 |
2 files changed, 30 insertions, 0 deletions
diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c index b6002bea84..c080f17a7c 100644 --- a/TSRM/tsrm_win32.c +++ b/TSRM/tsrm_win32.c @@ -715,6 +715,7 @@ TSRM_API int shmget(int key, int size, int flags) TSRM_API void *shmat(int key, const void *shmaddr, int flags) { shm_pair *shm = shm_get(key, NULL); + int err; if (!shm->segment) { return (void*)-1; @@ -726,6 +727,15 @@ TSRM_API void *shmat(int key, const void *shmaddr, int flags) shm->addr = MapViewOfFileEx(shm->segment, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL); + err = GetLastError(); + if (err) { + /* Catch more errors */ + if (ERROR_NOT_ENOUGH_MEMORY == err) { + _set_errno(ENOMEM); + } + return (void*)-1; + } + return shm->addr; } diff --git a/ext/sysvshm/tests/bug72858.phpt b/ext/sysvshm/tests/bug72858.phpt new file mode 100644 index 0000000000..087329e2df --- /dev/null +++ b/ext/sysvshm/tests/bug72858.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #72858 shm_attach null dereference +--SKIPIF-- +<?php +if (!extension_loaded("sysvshm")){ print 'skip'; } +if (4 < PHP_INT_SIZE) { print "skip 32-bit only"; } +if( substr(PHP_OS, 0, 3) != "WIN" ) { print "skip windows only" } +?> +--FILE-- +<?php + +$v1=100; +$v2=0xffffffff / 4 + 0x1337; +shm_attach($v1,$v2); + +?> +==DONE== +--EXPECTF-- +Warning: shm_attach(): failed for key 0x64: Not enough space in %s on line %d +==DONE== |