From 67f8c14c297cf2c3d1fdf9f5143603b6d09ebbc5 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Thu, 18 Aug 2016 14:15:10 +0200
Subject: Fixed bug #72858 shm_attach null dereference

---
 TSRM/tsrm_win32.c               | 10 ++++++++++
 ext/sysvshm/tests/bug72858.phpt | 20 ++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 ext/sysvshm/tests/bug72858.phpt

diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
index 6eba067c06..ab20e1f98b 100644
--- a/TSRM/tsrm_win32.c
+++ b/TSRM/tsrm_win32.c
@@ -665,6 +665,7 @@ TSRM_API int shmget(int key, int size, int flags)
 TSRM_API void *shmat(int key, const void *shmaddr, int flags)
 {
 	shm_pair *shm = shm_get(key, NULL);
+	int err;
 
 	if (!shm->segment) {
 		return (void*)-1;
@@ -676,6 +677,15 @@ TSRM_API void *shmat(int key, const void *shmaddr, int flags)
 
 	shm->addr = MapViewOfFileEx(shm->segment, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
 
+	err = GetLastError();
+	if (err) {
+		/* Catch more errors */
+		if (ERROR_NOT_ENOUGH_MEMORY == err) {
+			_set_errno(ENOMEM);
+		}
+		return (void*)-1;
+	}
+
 	return shm->addr;
 }
 
diff --git a/ext/sysvshm/tests/bug72858.phpt b/ext/sysvshm/tests/bug72858.phpt
new file mode 100644
index 0000000000..087329e2df
--- /dev/null
+++ b/ext/sysvshm/tests/bug72858.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #72858 shm_attach null dereference
+--SKIPIF--
+<?php
+if (!extension_loaded("sysvshm")){ print 'skip'; }
+if (4 < PHP_INT_SIZE) { print "skip 32-bit only"; }
+if( substr(PHP_OS, 0, 3) != "WIN" ) { print "skip windows only" }
+?>
+--FILE--
+<?php
+
+$v1=100;
+$v2=0xffffffff / 4 + 0x1337;
+shm_attach($v1,$v2);
+
+?>
+==DONE==
+--EXPECTF--	
+Warning: shm_attach(): failed for key 0x64: Not enough space in %s on line %d
+==DONE==
-- 
cgit v1.2.1