From f16a9c7e34a4aff9717f8c3ac1f2c55d72c47efb Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 15 Nov 2024 07:47:52 +0000
Subject: [PATCH 1/5] Fix GH-16812: UAF on readline_info() after
 readline_write_history() call.

---
 ext/readline/readline.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/readline/readline.c b/ext/readline/readline.c
index d94e20db9c32d..075c3d966d7cc 100644
--- a/ext/readline/readline.c
+++ b/ext/readline/readline.c
@@ -200,7 +200,7 @@ PHP_FUNCTION(readline_info)
 					if (rl_line_buffer) {
 						free(rl_line_buffer);
 					}
-					rl_line_buffer = tmp;
+					oldstr = rl_line_buffer = tmp;
 				}
 #endif
 #if !defined(PHP_WIN32)

From df8126376dc3b71e27bf46a28e972b0b83f0bd95 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 15 Nov 2024 08:11:32 +0000
Subject: [PATCH 2/5] add test

---
 ext/readline/tests/gh16812.phpt | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 ext/readline/tests/gh16812.phpt

diff --git a/ext/readline/tests/gh16812.phpt b/ext/readline/tests/gh16812.phpt
new file mode 100644
index 0000000000000..077dceff5ef9a
--- /dev/null
+++ b/ext/readline/tests/gh16812.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-16812 readline_info(): UAF
+--EXTENSIONS--
+readline
+--SKIPIF--
+<?php
+if (READLINE_LIB != "libedit") die("skip libedit only");
+if(substr(PHP_OS, 0, 3) == 'WIN' ) {
+    die('skip not for windows');
+}
+if (getenv('SKIP_REPEAT')) die("skip readline has global state");
+?>
+--FILE--
+<?php
+readline_write_history(NULL);
+var_dump(readline_info('line_buffer', 'test'));
+?>
+--EXPECT--
+string(4) "test"

From 1db70c09ba0608b85921b0a6781c4fd582096193 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 15 Nov 2024 13:06:37 +0000
Subject: [PATCH 3/5] changes from feedback, copying original before hand
 instead.

---
 ext/readline/readline.c         | 8 +++++---
 ext/readline/tests/gh16812.phpt | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ext/readline/readline.c b/ext/readline/readline.c
index 075c3d966d7cc..30f84d610022f 100644
--- a/ext/readline/readline.c
+++ b/ext/readline/readline.c
@@ -181,7 +181,7 @@ PHP_FUNCTION(readline_info)
 		add_assoc_long(return_value,"attempted_completion_over",rl_attempted_completion_over);
 	} else {
 		if (zend_string_equals_literal_ci(what,"line_buffer")) {
-			oldstr = rl_line_buffer;
+			oldstr = strdup(rl_line_buffer ? rl_line_buffer : "");
 			if (value) {
 				if (!try_convert_to_string(value)) {
 					RETURN_THROWS();
@@ -191,7 +191,8 @@ PHP_FUNCTION(readline_info)
 					rl_line_buffer = malloc(Z_STRLEN_P(value) + 1);
 				} else if (strlen(oldstr) < Z_STRLEN_P(value)) {
 					rl_extend_line_buffer(Z_STRLEN_P(value) + 1);
-					oldstr = rl_line_buffer;
+					free(oldstr);
+					oldstr = strdup(rl_line_buffer ? rl_line_buffer : "");
 				}
 				memcpy(rl_line_buffer, Z_STRVAL_P(value), Z_STRLEN_P(value) + 1);
 #else
@@ -200,7 +201,7 @@ PHP_FUNCTION(readline_info)
 					if (rl_line_buffer) {
 						free(rl_line_buffer);
 					}
-					oldstr = rl_line_buffer = tmp;
+					rl_line_buffer = tmp;
 				}
 #endif
 #if !defined(PHP_WIN32)
@@ -208,6 +209,7 @@ PHP_FUNCTION(readline_info)
 #endif
 			}
 			RETVAL_STRING(SAFE_STRING(oldstr));
+			free(oldstr);
 		} else if (zend_string_equals_literal_ci(what, "point")) {
 			RETVAL_LONG(rl_point);
 #ifndef PHP_WIN32
diff --git a/ext/readline/tests/gh16812.phpt b/ext/readline/tests/gh16812.phpt
index 077dceff5ef9a..f79e514145570 100644
--- a/ext/readline/tests/gh16812.phpt
+++ b/ext/readline/tests/gh16812.phpt
@@ -16,4 +16,4 @@ readline_write_history(NULL);
 var_dump(readline_info('line_buffer', 'test'));
 ?>
 --EXPECT--
-string(4) "test"
+string(0) ""

From 4650692056c2e7eeb65bba94eaf089d783dcad60 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 15 Nov 2024 13:13:14 +0000
Subject: [PATCH 4/5] enable the test on windows

---
 ext/readline/tests/gh16812.phpt | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/ext/readline/tests/gh16812.phpt b/ext/readline/tests/gh16812.phpt
index f79e514145570..57525a96ce0c1 100644
--- a/ext/readline/tests/gh16812.phpt
+++ b/ext/readline/tests/gh16812.phpt
@@ -5,9 +5,6 @@ readline
 --SKIPIF--
 <?php
 if (READLINE_LIB != "libedit") die("skip libedit only");
-if(substr(PHP_OS, 0, 3) == 'WIN' ) {
-    die('skip not for windows');
-}
 if (getenv('SKIP_REPEAT')) die("skip readline has global state");
 ?>
 --FILE--

From ca32a242d6f9be38119b1f1907cac7d695b30d29 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 15 Nov 2024 15:55:21 +0000
Subject: [PATCH 5/5] enable for the old readline lib too

---
 ext/readline/tests/gh16812.phpt | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ext/readline/tests/gh16812.phpt b/ext/readline/tests/gh16812.phpt
index 57525a96ce0c1..e148f731cab51 100644
--- a/ext/readline/tests/gh16812.phpt
+++ b/ext/readline/tests/gh16812.phpt
@@ -4,7 +4,6 @@ GH-16812 readline_info(): UAF
 readline
 --SKIPIF--
 <?php
-if (READLINE_LIB != "libedit") die("skip libedit only");
 if (getenv('SKIP_REPEAT')) die("skip readline has global state");
 ?>
 --FILE--