Skip to content

Commit b156471

Browse files
devnexendevnexen
committed
Fix GH-21023: CURLOPT_XFERINFOFUNCTION with invalid callback crash.
we check the FCC is properly initialised beforehand in its handler. close GH-21025
1 parent 23f4b93 commit b156471

3 files changed

Lines changed: 41 additions & 0 deletions

File tree

NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ PHP NEWS
55
- Core:
66
. Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). (Arnaud)
77

8+
- Curl:
9+
. Fixed bug GH-21023 (CURLOPT_XFERINFOFUNCTION crash with a null callback).
10+
(David Carlier)
11+
812
- PDO_PGSQL:
913
. Fixed bug GH-21055 (connection attribute status typo for GSS negotiation).
1014
(lsaos)

ext/curl/interface.c

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -621,6 +621,10 @@ static int curl_fnmatch(void *ctx, const char *pattern, const char *string)
621621
zval argv[3];
622622
zval retval;
623623

624+
if (!ZEND_FCC_INITIALIZED(ch->handlers.fnmatch)) {
625+
return rval;
626+
}
627+
624628
GC_ADDREF(&ch->std);
625629
ZVAL_OBJ(&argv[0], &ch->std);
626630
ZVAL_STRING(&argv[1], pattern);
@@ -652,6 +656,9 @@ static int curl_progress(void *clientp, double dltotal, double dlnow, double ult
652656
fprintf(stderr, "curl_progress() called\n");
653657
fprintf(stderr, "clientp = %x, dltotal = %f, dlnow = %f, ultotal = %f, ulnow = %f\n", clientp, dltotal, dlnow, ultotal, ulnow);
654658
#endif
659+
if (!ZEND_FCC_INITIALIZED(ch->handlers.progress)) {
660+
return rval;
661+
}
655662

656663
zval args[5];
657664
zval retval;
@@ -690,6 +697,9 @@ static int curl_xferinfo(void *clientp, curl_off_t dltotal, curl_off_t dlnow, cu
690697
fprintf(stderr, "curl_xferinfo() called\n");
691698
fprintf(stderr, "clientp = %x, dltotal = %ld, dlnow = %ld, ultotal = %ld, ulnow = %ld\n", clientp, dltotal, dlnow, ultotal, ulnow);
692699
#endif
700+
if (!ZEND_FCC_INITIALIZED(ch->handlers.xferinfo)) {
701+
return rval;
702+
}
693703

694704
zval argv[5];
695705
zval retval;

ext/curl/tests/gh21023.phpt

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
--TEST--
2+
GH-21023 (crash with CURLOPT_XFERINFOFUNCTION set with an invalid callback)
3+
--EXTENSIONS--
4+
curl
5+
--FILE--
6+
<?php
7+
include 'server.inc';
8+
$host = curl_cli_server_start();
9+
$url = "{$host}/get.inc";
10+
$ch = curl_init($url);
11+
curl_setopt($ch, CURLOPT_NOPROGRESS, 0);
12+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
13+
curl_setopt($ch, CURLOPT_XFERINFOFUNCTION, null);
14+
curl_exec($ch);
15+
$ch = curl_init($url);
16+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
17+
curl_setopt($ch, CURLOPT_PROGRESSFUNCTION, null);
18+
curl_exec($ch);
19+
$ch = curl_init($url);
20+
curl_setopt($ch, CURLOPT_WILDCARDMATCH, 1);
21+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
22+
curl_setopt($ch, CURLOPT_FNMATCH_FUNCTION, null);
23+
curl_exec($ch);
24+
echo "OK", PHP_EOL;
25+
?>
26+
--EXPECT--
27+
OK

0 commit comments

Comments
 (0)