Merge branch 'PHP-8.3' into PHP-8.4

ndossche · ndossche · commit d6d78545ea40 · 2024-12-04T20:05:32.000+01:00
* PHP-8.3: Fix phpGH-17037: UAF in user filter when adding existing filter name due to incorrect error handling
diff --git a/NEWS b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.3
 
+- Streams:
+  . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due
+    to incorrect error handling). (nielsdos)
 
 05 Dec 2024, PHP 8.4.2
 
diff --git a/ext/standard/tests/filters/gh17037.phpt b/ext/standard/tests/filters/gh17037.phpt
@@ -0,0 +1,8 @@
+--TEST--
+GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling)
+--FILE--
+<?php
+var_dump(stream_filter_register('string.toupper', 'filter_string_toupper'));
+?>
+--EXPECT--
+bool(false)
diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c
@@ -521,13 +521,17 @@ PHP_FUNCTION(stream_filter_register)
 	fdat = ecalloc(1, sizeof(struct php_user_filter_data));
 	fdat->classname = zend_string_copy(classname);
 
-	if (zend_hash_add_ptr(BG(user_filter_map), filtername, fdat) != NULL &&
-			php_stream_filter_register_factory_volatile(filtername, &user_filter_factory) == SUCCESS) {
-		RETVAL_TRUE;
+	if (zend_hash_add_ptr(BG(user_filter_map), filtername, fdat) != NULL) {
+		if (php_stream_filter_register_factory_volatile(filtername, &user_filter_factory) == SUCCESS) {
+			RETURN_TRUE;
+		}
+
+		zend_hash_del(BG(user_filter_map), filtername);
 	} else {
 		zend_string_release_ex(classname, 0);
 		efree(fdat);
-		RETVAL_FALSE;
 	}
+
+	RETURN_FALSE;
 }
 /* }}} */
