From 5def392ce1207eee2c12f51479099829d24ba078 Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Sun, 30 Jul 2006 16:26:20 +0000 Subject: [PATCH] - 38261: openssl_x509_parse leaks with invalid certs --- NEWS | 1 + ext/openssl/openssl.c | 5 +++++ ext/openssl/tests/bug38261.phpt | 34 +++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 ext/openssl/tests/bug38261.phpt diff --git a/NEWS b/NEWS index b39a16eaa5e..24aca2de7c7 100644 --- a/NEWS +++ b/NEWS @@ -19,6 +19,7 @@ PHP NEWS - Fixed phpinfo() cutoff of variables at \0. (Ilia) - Fixed a bug in the filter extension that prevented magic_quotes_gpc from being applied when RAW filter is used. (Ilia) +- Fixed bug #38261 (openssl_x509_parse() leaks with invalid cert) (Pierre) - Fixed bug #38255 (openssl possible leaks while passing keys) (Pierre) - Fixed bug #38253 (PDO produces segfault with default fetch mode). (Tony) - Fixed bug #38236 (Binary data gets corrupted on multipart/formdata POST). diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 5c73137c3cb..293574ee6d4 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -784,6 +784,11 @@ static X509 * php_openssl_x509_from_zval(zval ** val, int makeresource, long * r return NULL; } + + if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) { + return NULL; + } + /* force it to be a string and check if it refers to a file */ convert_to_string_ex(val); diff --git a/ext/openssl/tests/bug38261.phpt b/ext/openssl/tests/bug38261.phpt new file mode 100644 index 00000000000..e7d806083e8 --- /dev/null +++ b/ext/openssl/tests/bug38261.phpt @@ -0,0 +1,34 @@ +--TEST-- +openssl key from zval leaks +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +bool(false) +bool(false) +bool(false) + +Warning: openssl_x509_parse() expects at least 1 parameter, 0 given in %s/bug38261.php on line %d +NULL +bool(false) + +Catchable fatal error: Object of class stdClass could not be converted to string in %s/bug38261.php on line %d