From cca49ce925560f35d58e7320ac944ac0d1d3fa37 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 28 Mar 2023 23:37:40 +0200
Subject: [PATCH] Fix uninitialized variable accesses in sockets/conversions

This was first pointed out in GH-10959.
The from_zval_... functions don't always write to the pointer, in particular
it is necessary to check for an error before using the value. Otherwise
we can access an uninitialized value and that's UB (and dangerous).

Note: this does *NOT* get rid of the compiler warning. Even though there
is error checking now, the compiler isn't smart enough to figure out
that the values can not be used uninitialized.
---
 ext/sockets/conversions.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ext/sockets/conversions.c b/ext/sockets/conversions.c
index 90a79b83985c5..a6de55106f30f 100644
--- a/ext/sockets/conversions.c
+++ b/ext/sockets/conversions.c
@@ -720,6 +720,10 @@ static void from_zval_write_sockaddr_aux(const zval *container,
 		zend_llist_add_element(&ctx->keys, &node);
 		from_zval_write_int(elem, (char*)&family, ctx);
 		zend_llist_remove_tail(&ctx->keys);
+
+		if (UNEXPECTED(ctx->err.has_error)) {
+			return;
+		}
 	} else {
 		family = ctx->sock->type;
 	}
@@ -1115,7 +1119,10 @@ static void from_zval_write_controllen(const zval *elem, char *msghdr_c, ser_con
 	 * this least common denominator
 	 */
 	from_zval_write_uint32(elem, (char*)&len, ctx);
-	if (!ctx->err.has_error && len == 0) {
+	if (ctx->err.has_error) {
+		return;
+	}
+	if (len == 0) {
 		do_from_zval_err(ctx, "controllen cannot be 0");
 		return;
 	}