fix bug #72998

krakjoe · krakjoe · commit 1143155fcb4c · 2021-06-03T10:33:10.000+02:00
the function fn_complete in libedit null checks matches[2]
diff --git a/NEWS b/NEWS
@@ -28,6 +28,9 @@ PHP                                                                        NEWS
 - MySQLnd:
   . Fixed bug #80761 (PDO uses too much memory). (Nikita)
 
+- readline:
+  . Fixed bug #72998 (invalid read in readline completion). (krakjoe)
+
 - Standard:
   . Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
     (cmb)
diff --git a/ext/readline/readline.c b/ext/readline/readline.c
@@ -452,12 +452,12 @@ char **php_readline_completion_cb(const char *text, int start, int end)
 			if (zend_hash_num_elements(Z_ARRVAL(_readline_array))) {
 				matches = rl_completion_matches(text,_readline_command_generator);
 			} else {
-				matches = malloc(sizeof(char *) * 2);
+				/* libedit will read matches[2] */
+				matches = calloc(sizeof(char *), 3);
 				if (!matches) {
 					return NULL;
 				}
 				matches[0] = strdup("");
-				matches[1] = NULL;
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -452,12 +452,12 @@ char *php_readline_completion_cb(const char text, int start, int end)`
`452`	`452`	`if (zend_hash_num_elements(Z_ARRVAL(_readline_array))) {`
`453`	`453`	`matches = rl_completion_matches(text,_readline_command_generator);`
`454`	`454`	`} else {`
`455`		`- matches = malloc(sizeof(char ) 2);`
	`455`	`+ /* libedit will read matches[2] */`
	`456`	`+ matches = calloc(sizeof(char *), 3);`
`456`	`457`	`if (!matches) {`
`457`	`458`	`return NULL;`
`458`	`459`	`}`
`459`	`460`	`matches[0] = strdup("");`
`460`		`- matches[1] = NULL;`
`461`	`461`	`}`
`462`	`462`	`}`
`463`	`463`	`}`