diff options
author | Stanislav Malyshev <stas@php.net> | 2020-02-15 20:52:19 -0800 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-02-18 09:12:51 +0100 |
commit | 08b47a3d0fcd16a4a8f351d5ee60bfa64e71b39f (patch) | |
tree | 1a61cf45f063150fca60da0986d46bc3f63ad103 | |
parent | 2589f5bd83ff644d8345bb9c684fc4338435a3a3 (diff) | |
download | php-git-08b47a3d0fcd16a4a8f351d5ee60bfa64e71b39f.tar.gz |
Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress
(cherry picked from commit 409965fe1cfa013abd377a5b567e2d19aac163e8)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/session/session.c | 10 | ||||
-rw-r--r-- | ext/session/tests/bug79221.phpt | 45 |
3 files changed, 55 insertions, 4 deletions
@@ -40,6 +40,10 @@ PHP NEWS . Fixed bug #79115 (ReflectionClass::isCloneable call reflected class __destruct). (Nikita) +- Session: + . Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). + (CVE-2020-7062) (stas) + - SPL: . Fixed bug #79151 (heap use after free caused by spl_dllist_it_helper_move_forward). (Nikita) diff --git a/ext/session/session.c b/ext/session/session.c index d0779294ec..078b3f0b3c 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -3308,10 +3308,12 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo if (PS(rfc1867_cleanup)) { php_session_rfc1867_cleanup(progress); } else { - SEPARATE_ARRAY(&progress->data); - add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1); - Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; - php_session_rfc1867_update(progress, 1); + if (!Z_ISUNDEF(progress->data)) { + SEPARATE_ARRAY(&progress->data); + add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1); + Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; + php_session_rfc1867_update(progress, 1); + } } php_rshutdown_session_globals(); } diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt new file mode 100644 index 0000000000..b0972c4697 --- /dev/null +++ b/ext/session/tests/bug79221.phpt @@ -0,0 +1,45 @@ +--TEST-- +Null Pointer Dereference in PHP Session Upload Progress +--INI-- +error_reporting=0 +file_uploads=1 +upload_max_filesize=1024 +session.save_path= +session.name=PHPSESSID +session.serialize_handler=php +session.use_strict_mode=0 +session.use_cookies=1 +session.use_only_cookies=0 +session.upload_progress.enabled=1 +session.upload_progress.cleanup=0 +session.upload_progress.prefix=upload_progress_ +session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS +session.upload_progress.freq=1% +session.upload_progress.min_freq=0.000000001 +--COOKIE-- +PHPSESSID=session-upload +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="PHPSESSID" + +session-upload +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" + +ryat +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; file="file"; ryat="filename" + +1 +-----------------------------20896060251896012921717172737-- +--FILE-- +<?php + +session_start(); +var_dump($_SESSION); +session_destroy(); + +--EXPECTF-- +array(0) { +} |