Fix #80324: Segfault in YAML with anonymous functions

cmb69 · cmb69 · commit d991df2ed5f2 · 2020-12-16T17:02:47.000+01:00
We must not assume that `key-&gt;val` is `sizeof(YAML_TIMESTAMP_TAG)` long
or longer.  Actually, `zend_string_equals_literal()` (available as of
PHP 7.0.0) does exactly what we want.
diff --git a/tests/bug80324.phpt b/tests/bug80324.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #80324 (Segfault in YAML with anonymous functions)
+--SKIPIF--
+<?php if(!extension_loaded('yaml')) die('skip yaml n/a'); ?>
+--FILE--
+<?php
+$yaml = <<<YAML
+- !env ENV
+- !path PATH
+YAML;
+
+$result = yaml_parse($yaml, 0, $ndocs, array(
+    '!env' => function ($str) {return $str;},
+    '!path' => function ($str) {return $str;},
+  ));
+
+var_dump($result);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(3) "ENV"
+  [1]=>
+  string(4) "PATH"
+}
diff --git a/yaml.c b/yaml.c
@@ -304,7 +304,7 @@ static int php_yaml_check_callbacks(HashTable *callbacks)
 				zend_string_release(name);
 			}
 
-			if (!memcmp(key->val, YAML_TIMESTAMP_TAG, sizeof(YAML_TIMESTAMP_TAG))) {
+			if (zend_string_equals_literal(key, YAML_TIMESTAMP_TAG)) {
 				YAML_G(timestamp_decoder) = entry;
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -304,7 +304,7 @@ static int php_yaml_check_callbacks(HashTable *callbacks)`
`304`	`304`	`zend_string_release(name);`
`305`	`305`	`}`
`306`	`306`
`307`		`- if (!memcmp(key->val, YAML_TIMESTAMP_TAG, sizeof(YAML_TIMESTAMP_TAG))) {`
	`307`	`+ if (zend_string_equals_literal(key, YAML_TIMESTAMP_TAG)) {`
`308`	`308`	`YAML_G(timestamp_decoder) = entry;`
`309`	`309`	`}`
`310`	`310`