Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress

Author: smalyshev

ext/session/session.c

@@ -3219,10 +3219,12 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
 				if (PS(rfc1867_cleanup)) {
 					php_session_rfc1867_cleanup(progress);
 				} else {
-					SEPARATE_ARRAY(&progress->data);
-					add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
-					Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
-					php_session_rfc1867_update(progress, 1);
+					if (!Z_ISUNDEF(progress->data)) {
+						SEPARATE_ARRAY(&progress->data);
+						add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 1);
+						Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
+						php_session_rfc1867_update(progress, 1);
+					}
 				}
 				php_rshutdown_session_globals();
 			}

ext/session/tests/bug79221.phpt

@@ -0,0 +1,45 @@
+--TEST--
+Null Pointer Dereference in PHP Session Upload Progress
+--INI--
+error_reporting=0
+file_uploads=1
+upload_max_filesize=1024
+session.save_path=
+session.name=PHPSESSID
+session.serialize_handler=php
+session.use_strict_mode=0
+session.use_cookies=1
+session.use_only_cookies=0
+session.upload_progress.enabled=1
+session.upload_progress.cleanup=0
+session.upload_progress.prefix=upload_progress_
+session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
+session.upload_progress.freq=1%
+session.upload_progress.min_freq=0.000000001
+--COOKIE--
+PHPSESSID=session-upload
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="PHPSESSID"
+
+session-upload
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
+
+ryat
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; file="file"; ryat="filename"
+
+1
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+
+session_start();
+var_dump($_SESSION);
+session_destroy();
+
+--EXPECTF--
+array(0) {
+}