Merge branch 'PHP-7.0' into PHP-7.1

2 files changed, 23 insertions, 1 deletions

diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
index df8374ced0..b95a37aa1c 100644
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -114,7 +114,7 @@ static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, cons
 	size_t n;
 
 	key_len = strlen(key);
-	if (key_len <= data->dirdepth ||
+	if (!data || key_len <= data->dirdepth ||
 		buflen < (strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) {
 		return NULL;
 	}
diff --git a/ext/session/tests/bug73100.phpt b/ext/session/tests/bug73100.phpt
new file mode 100644
index 0000000000..0503541375
--- /dev/null
+++ b/ext/session/tests/bug73100.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #73100 (session_destroy null dereference in ps_files_path_create)
+--SKIPIF--
+<?php
+if (!extension_loaded('session')) die('skip session extension not available');
+?>
+--FILE--
+<?php
+ob_start();
+var_dump(session_start());
+session_module_name("user");
+var_dump(session_destroy());
+?>
+===DONE===
+--EXPECTF--
+bool(true)
+
+Warning: session_module_name(): A session is active. You cannot change the session module's ini settings at this time in %s on line %d
+
+Warning: session_destroy(): Session object destruction failed in %s on line %d
+bool(false)
+===DONE===