Skip to content

Commit 90ae181

Browse files
smalyshevsmalyshev
committed
Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress
1 parent 406c5d5 commit 90ae181

File tree

2 files changed

+51
-4
lines changed

2 files changed

+51
-4
lines changed

ext/session/session.c

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3217,10 +3217,12 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
32173217
if (PS(rfc1867_cleanup)) {
32183218
php_session_rfc1867_cleanup(progress);
32193219
} else {
3220-
SEPARATE_ARRAY(&progress->data);
3221-
add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
3222-
Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
3223-
php_session_rfc1867_update(progress, 1);
3220+
if (!Z_ISUNDEF(progress->data)) {
3221+
SEPARATE_ARRAY(&progress->data);
3222+
add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
3223+
Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
3224+
php_session_rfc1867_update(progress, 1);
3225+
}
32243226
}
32253227
php_rshutdown_session_globals();
32263228
}

ext/session/tests/bug79221.phpt

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
--TEST--
2+
Null Pointer Dereference in PHP Session Upload Progress
3+
--INI--
4+
error_reporting=0
5+
file_uploads=1
6+
upload_max_filesize=1024
7+
session.save_path=
8+
session.name=PHPSESSID
9+
session.serialize_handler=php
10+
session.use_strict_mode=0
11+
session.use_cookies=1
12+
session.use_only_cookies=0
13+
session.upload_progress.enabled=1
14+
session.upload_progress.cleanup=0
15+
session.upload_progress.prefix=upload_progress_
16+
session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
17+
session.upload_progress.freq=1%
18+
session.upload_progress.min_freq=0.000000001
19+
--COOKIE--
20+
PHPSESSID=session-upload
21+
--POST_RAW--
22+
Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
23+
-----------------------------20896060251896012921717172737
24+
Content-Disposition: form-data; name="PHPSESSID"
25+
26+
session-upload
27+
-----------------------------20896060251896012921717172737
28+
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
29+
30+
ryat
31+
-----------------------------20896060251896012921717172737
32+
Content-Disposition: form-data; file="file"; ryat="filename"
33+
34+
1
35+
-----------------------------20896060251896012921717172737--
36+
--FILE--
37+
<?php
38+
39+
session_start();
40+
var_dump($_SESSION);
41+
session_destroy();
42+
43+
--EXPECTF--
44+
array(0) {
45+
}

0 commit comments

Comments
 (0)