From a8b5510a30a5e8761e841c799a472c6f25560698 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 15 Feb 2020 20:52:19 -0800 Subject: [PATCH 1/3] Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress (cherry picked from commit d76f7c6c636b8240e06a1fa29eebb98ad005008a) --- ext/session/session.c | 8 +++--- ext/session/tests/bug79221.phpt | 45 +++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 ext/session/tests/bug79221.phpt diff --git a/ext/session/session.c b/ext/session/session.c index b2d02361df..d759fcabbf 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -2820,9 +2820,11 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo if (PS(rfc1867_cleanup)) { php_session_rfc1867_cleanup(progress TSRMLS_CC); } else { - add_assoc_bool_ex(progress->data, "done", sizeof("done"), 1); - Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; - php_session_rfc1867_update(progress, 1 TSRMLS_CC); + if (progress->data) { + add_assoc_bool_ex(progress->data, "done", sizeof("done"), 1); + Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; + php_session_rfc1867_update(progress, 1 TSRMLS_CC); + } } php_rshutdown_session_globals(TSRMLS_C); } diff --git a/ext/session/tests/bug79221.phpt b/ext/session/tests/bug79221.phpt new file mode 100644 index 0000000000..b0972c4697 --- /dev/null +++ b/ext/session/tests/bug79221.phpt @@ -0,0 +1,45 @@ +--TEST-- +Null Pointer Dereference in PHP Session Upload Progress +--INI-- +error_reporting=0 +file_uploads=1 +upload_max_filesize=1024 +session.save_path= +session.name=PHPSESSID +session.serialize_handler=php +session.use_strict_mode=0 +session.use_cookies=1 +session.use_only_cookies=0 +session.upload_progress.enabled=1 +session.upload_progress.cleanup=0 +session.upload_progress.prefix=upload_progress_ +session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS +session.upload_progress.freq=1% +session.upload_progress.min_freq=0.000000001 +--COOKIE-- +PHPSESSID=session-upload +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="PHPSESSID" + +session-upload +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" + +ryat +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; file="file"; ryat="filename" + +1 +-----------------------------20896060251896012921717172737-- +--FILE-- +