85 lines
2.8 KiB
Diff
85 lines
2.8 KiB
Diff
From 90ae1818d54b3017ed114d45e83924eebafdb7d7 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Sat, 15 Feb 2020 20:52:19 -0800
|
|
Subject: [PATCH] Fix bug #79221 - Null Pointer Dereference in PHP Session
|
|
Upload Progress
|
|
|
|
---
|
|
ext/session/session.c | 10 +++++---
|
|
ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++
|
|
2 files changed, 51 insertions(+), 4 deletions(-)
|
|
create mode 100644 ext/session/tests/bug79221.phpt
|
|
|
|
diff --git a/ext/session/session.c b/ext/session/session.c
|
|
index 0470ba1fc645..ad299209b6a4 100644
|
|
--- a/ext/session/session.c
|
|
+++ b/ext/session/session.c
|
|
@@ -3217,10 +3217,12 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
|
|
if (PS(rfc1867_cleanup)) {
|
|
php_session_rfc1867_cleanup(progress);
|
|
} else {
|
|
- SEPARATE_ARRAY(&progress->data);
|
|
- add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
|
|
- Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
|
|
- php_session_rfc1867_update(progress, 1);
|
|
+ if (!Z_ISUNDEF(progress->data)) {
|
|
+ SEPARATE_ARRAY(&progress->data);
|
|
+ add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
|
|
+ Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
|
|
+ php_session_rfc1867_update(progress, 1);
|
|
+ }
|
|
}
|
|
php_rshutdown_session_globals();
|
|
}
|
|
diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt
|
|
new file mode 100644
|
|
index 000000000000..b0972c469705
|
|
--- /dev/null
|
|
+++ b/ext/session/tests/bug79221.phpt
|
|
@@ -0,0 +1,45 @@
|
|
+--TEST--
|
|
+Null Pointer Dereference in PHP Session Upload Progress
|
|
+--INI--
|
|
+error_reporting=0
|
|
+file_uploads=1
|
|
+upload_max_filesize=1024
|
|
+session.save_path=
|
|
+session.name=PHPSESSID
|
|
+session.serialize_handler=php
|
|
+session.use_strict_mode=0
|
|
+session.use_cookies=1
|
|
+session.use_only_cookies=0
|
|
+session.upload_progress.enabled=1
|
|
+session.upload_progress.cleanup=0
|
|
+session.upload_progress.prefix=upload_progress_
|
|
+session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
|
|
+session.upload_progress.freq=1%
|
|
+session.upload_progress.min_freq=0.000000001
|
|
+--COOKIE--
|
|
+PHPSESSID=session-upload
|
|
+--POST_RAW--
|
|
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
|
|
+-----------------------------20896060251896012921717172737
|
|
+Content-Disposition: form-data; name="PHPSESSID"
|
|
+
|
|
+session-upload
|
|
+-----------------------------20896060251896012921717172737
|
|
+Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
|
|
+
|
|
+ryat
|
|
+-----------------------------20896060251896012921717172737
|
|
+Content-Disposition: form-data; file="file"; ryat="filename"
|
|
+
|
|
+1
|
|
+-----------------------------20896060251896012921717172737--
|
|
+--FILE--
|
|
+<?php
|
|
+
|
|
+session_start();
|
|
+var_dump($_SESSION);
|
|
+session_destroy();
|
|
+
|
|
+--EXPECTF--
|
|
+array(0) {
|
|
+}
|