Fix GH-10692: PHP crashes on Windows when an inexistent filename is executed

Fixes GH-10692 php_fopen_primary_script() does not initialize all fields of zend_file_handle. So when it fails and when fastcgi is true, the zend_destroy_file_handle() function will try to free uninitialized pointers, causing a segmentation fault. Fix it by zero-initializing file handles just like the zend_stream_init_fp() counterpart does. Closes GH-10697.
2024-11-23 18:04:36 +08:00 · 2023-02-25 13:42:45 +01:00 · 2023-02-25 13:42:45 +01:00 · df579adac7
commit df579adac7
parent 7d2b01eea7
2 changed files with 4 additions and 0 deletions
--- a/2
+++ b/2
@ -16,6 +16,8 @@ PHP                                                                        NEWS
    misleadingly with the wrong return type. (nielsdos)
  . Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer
    constant name). (nielsdos)
+  . Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle()
+    freeing dangling pointers on the handle as it was uninitialized. (nielsdos)

 - Curl:
  . Fixed deprecation warning at compile time. (Max Kellermann)
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@ -353,6 +353,8 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle)
 	size_t length;
 	bool orig_display_errors;

+	memset(file_handle, 0, sizeof(zend_file_handle));
+
 	path_info = SG(request_info).request_uri;
 #if HAVE_PWD_H
 	if (PG(user_dir) && *PG(user_dir) && path_info && '/' == path_info[0] && '~' == path_info[1]) {