Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()

cmb69 · cmb69 · commit 0dda4a844e63 · 2020-01-08T18:29:10.000+01:00
To avoid this, we have to verify the handlers already in
`curl_multi_add_handle()`, not only in `curl_multi_exec()`.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.3.15
 
+- CURL:
+  . Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
+    (cmb)
+
 23 Jan 2020, PHP 7.3.14
 
 - Core
diff --git a/ext/curl/multi.c b/ext/curl/multi.c
@@ -92,6 +92,8 @@ PHP_FUNCTION(curl_multi_add_handle)
 		RETURN_FALSE;
 	}
 
+	_php_curl_verify_handlers(ch, 1);
+
 	_php_curl_cleanup_handle(ch);
 
 	GC_ADDREF(Z_RES_P(z_ch));
diff --git a/ext/curl/tests/bug48203_multi.phpt b/ext/curl/tests/bug48203_multi.phpt
@@ -67,25 +67,25 @@ foreach($options_to_check as $option) {
 --CLEAN--
 <?php @unlink(dirname(__FILE__) . '/bug48203.tmp'); ?>
 --EXPECTF--
-Warning: curl_multi_exec(): CURLOPT_STDERR resource has gone away, resetting to stderr in %s on line %d
-
-Warning: curl_multi_exec(): CURLOPT_STDERR resource has gone away, resetting to stderr in %s on line %d
+Warning: curl_multi_add_handle(): CURLOPT_STDERR resource has gone away, resetting to stderr in %s on line %d
+%A
+Warning: curl_multi_add_handle(): CURLOPT_STDERR resource has gone away, resetting to stderr in %s on line %d
 %A
 Ok for CURLOPT_STDERR
 
-Warning: curl_multi_exec(): CURLOPT_WRITEHEADER resource has gone away, resetting to default in %s on line %d
+Warning: curl_multi_add_handle(): CURLOPT_WRITEHEADER resource has gone away, resetting to default in %s on line %d
 
-Warning: curl_multi_exec(): CURLOPT_WRITEHEADER resource has gone away, resetting to default in %s on line %d
+Warning: curl_multi_add_handle(): CURLOPT_WRITEHEADER resource has gone away, resetting to default in %s on line %d
 Ok for CURLOPT_WRITEHEADER
 
-Warning: curl_multi_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
+Warning: curl_multi_add_handle(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
 
-Warning: curl_multi_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
+Warning: curl_multi_add_handle(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
 Hello World!
 Hello World!Hello World!
 Hello World!Ok for CURLOPT_FILE
 
-Warning: curl_multi_exec(): CURLOPT_INFILE resource has gone away, resetting to default in %s on line %d
+Warning: curl_multi_add_handle(): CURLOPT_INFILE resource has gone away, resetting to default in %s on line %d
 
-Warning: curl_multi_exec(): CURLOPT_INFILE resource has gone away, resetting to default in %s on line %d
+Warning: curl_multi_add_handle(): CURLOPT_INFILE resource has gone away, resetting to default in %s on line %d
 Ok for CURLOPT_INFILE

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,8 @@ PHP_FUNCTION(curl_multi_add_handle)`
`92`	`92`	`RETURN_FALSE;`
`93`	`93`	`}`
`94`	`94`
	`95`	`+ _php_curl_verify_handlers(ch, 1);`
	`96`	`+`
`95`	`97`	`_php_curl_cleanup_handle(ch);`
`96`	`98`
`97`	`99`	`GC_ADDREF(Z_RES_P(z_ch));`