Fixed bug #54350

nikic · nikic · commit 15197702888f · 2021-10-07T11:44:41.000+02:00
Don't allow calling fclose() on the stream while in the user
filter callback. This is basically the same protection as xp_ssl
streams use during callback invocations.

There are more issues in this general area (e.g. stack overflow
on stream_filter_remove), but this addresses freeing the stream
during the filter callback invocation at least.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.4.26
 
+- Streams:
+  . Fixed bug #54340 (Memory corruption with user_filter). (Nikita)
 
 21 Oct 2021, PHP 7.4.25
 
diff --git a/ext/standard/tests/filters/bug54350.phpt b/ext/standard/tests/filters/bug54350.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #54350: Memory corruption with user_filter
+--FILE--
+<?php
+
+class user_filter extends php_user_filter {
+    function filter($in, $out, &$consumed, $closing): int {
+        while ($bucket = stream_bucket_make_writeable($in)) {
+        }
+        fclose($this->stream);
+        return 0;
+    }
+}
+stream_filter_register('user_filter','user_filter');
+$fd = fopen('php://memory','w');
+$filter = stream_filter_append($fd, 'user_filter');
+fwrite($fd, "foo");
+
+?>
+--EXPECTF--
+Warning: fclose(): 5 is not a valid stream resource in %s on line %d
+
+Warning: fclose(): supplied resource is not a valid stream resource in %s on line %d
diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c
@@ -172,6 +172,10 @@ php_stream_filter_status_t userfilter_filter(
 		return ret;
 	}
 
+	/* Make sure the stream is not closed while the filter callback executes. */
+	uint32_t orig_no_fclose = stream->flags & PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+
 	if (!zend_hash_str_exists_ind(Z_OBJPROP_P(obj), "stream", sizeof("stream")-1)) {
 		zval tmp;
 
@@ -248,6 +252,9 @@ php_stream_filter_status_t userfilter_filter(
 	zval_ptr_dtor(&args[1]);
 	zval_ptr_dtor(&args[0]);
 
+	stream->flags &= ~PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= orig_no_fclose;
+
 	return ret;
 }
 
