Fix GH-13685: Unexpected null pointer in zend_string.h

nielsdos · nielsdos · commit aa34e0acb4a0 · 2024-03-17T18:37:52.000+01:00
Regressed in 6fbf81c. There is a missing error check on spl_filesystem_file_read_line(), which means that if the line could not be read (e.g. because we're at the end of the file), it will not set intern->u.file.current_line, which will cause a NULL pointer deref later on. Fix it by adding a check, and reintroducing the silent flag partially to be able to throw an exception like it did in the past. Closes GH-13692.
diff --git a/NEWS b/NEWS
@@ -41,6 +41,7 @@ PHP                                                                        NEWS
 - SPL:
   . Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized
     in PHP 8.2.15). (nielsdos)
+  . Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)
 
 - Standard:
   . Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
@@ -1866,6 +1866,11 @@ zend_object_iterator *spl_filesystem_tree_get_iterator(zend_class_entry *ce, zva
 }
 /* }}} */
 
+static ZEND_COLD void spl_filesystem_file_cannot_read(spl_filesystem_object *intern)
+{
+	zend_throw_exception_ex(spl_ce_RuntimeException, 0, "Cannot read from file %s", ZSTR_VAL(intern->file_name));
+}
+
 static zend_result spl_filesystem_file_read_ex(spl_filesystem_object *intern, bool silent, zend_long line_add, bool csv)
 {
 	char *buf;
@@ -1875,7 +1880,7 @@ static zend_result spl_filesystem_file_read_ex(spl_filesystem_object *intern, bo
 
 	if (php_stream_eof(intern->u.file.stream)) {
 		if (!silent) {
-			zend_throw_exception_ex(spl_ce_RuntimeException, 0, "Cannot read from file %s", ZSTR_VAL(intern->file_name));
+			spl_filesystem_file_cannot_read(intern);
 		}
 		return FAILURE;
 	}
@@ -1930,10 +1935,10 @@ static bool is_line_empty(spl_filesystem_object *intern)
 				|| (current_line_len == 2 && current_line[0] == '\r' && current_line[1] == '\n'))));
 }
 
-static zend_result spl_filesystem_file_read_csv(spl_filesystem_object *intern, char delimiter, char enclosure, int escape, zval *return_value) /* {{{ */
+static zend_result spl_filesystem_file_read_csv(spl_filesystem_object *intern, char delimiter, char enclosure, int escape, zval *return_value, bool silent) /* {{{ */
 {
 	do {
-		zend_result ret = spl_filesystem_file_read(intern, /* silent */ true, /* csv */ true);
+		zend_result ret = spl_filesystem_file_read(intern, silent, /* csv */ true);
 		if (ret != SUCCESS) {
 			return ret;
 		}
@@ -1959,19 +1964,21 @@ static zend_result spl_filesystem_file_read_csv(spl_filesystem_object *intern, c
 }
 /* }}} */
 
-/* Call to this function reads a line in a "silent" fashion and does not throw an exception */
-static zend_result spl_filesystem_file_read_line_ex(zval * this_ptr, spl_filesystem_object *intern) /* {{{ */
+static zend_result spl_filesystem_file_read_line_ex(zval * this_ptr, spl_filesystem_object *intern, bool silent) /* {{{ */
 {
 	zval retval;
 
 	/* 1) use fgetcsv? 2) overloaded call the function, 3) do it directly */
 	if (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_CSV)) {
-		return spl_filesystem_file_read_csv(intern, intern->u.file.delimiter, intern->u.file.enclosure, intern->u.file.escape, NULL);
+		return spl_filesystem_file_read_csv(intern, intern->u.file.delimiter, intern->u.file.enclosure, intern->u.file.escape, NULL, silent);
 	}
 	if (intern->u.file.func_getCurr->common.scope != spl_ce_SplFileObject) {
 		spl_filesystem_file_free_line(intern);
 
 		if (php_stream_eof(intern->u.file.stream)) {
+			if (!silent) {
+				spl_filesystem_file_cannot_read(intern);
+			}
 			return FAILURE;
 		}
 		zend_call_method_with_0_params(Z_OBJ_P(this_ptr), Z_OBJCE_P(this_ptr), &intern->u.file.func_getCurr, "getCurrentLine", &retval);
@@ -1995,18 +2002,17 @@ static zend_result spl_filesystem_file_read_line_ex(zval * this_ptr, spl_filesys
 		zval_ptr_dtor(&retval);
 		return SUCCESS;
 	} else {
-		return spl_filesystem_file_read(intern, /* silent */ true, /* csv */ false);
+		return spl_filesystem_file_read(intern, silent, /* csv */ false);
 	}
 } /* }}} */
 
-/* Call to this function reads a line in a "silent" fashion and does not throw an exception */
-static zend_result spl_filesystem_file_read_line(zval * this_ptr, spl_filesystem_object *intern) /* {{{ */
+static zend_result spl_filesystem_file_read_line(zval * this_ptr, spl_filesystem_object *intern, bool silent) /* {{{ */
 {
-	zend_result ret = spl_filesystem_file_read_line_ex(this_ptr, intern);
+	zend_result ret = spl_filesystem_file_read_line_ex(this_ptr, intern, silent);
 
 	while (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_SKIP_EMPTY) && ret == SUCCESS && is_line_empty(intern)) {
 		spl_filesystem_file_free_line(intern);
-		ret = spl_filesystem_file_read_line_ex(this_ptr, intern);
+		ret = spl_filesystem_file_read_line_ex(this_ptr, intern, silent);
 	}
 
 	return ret;
@@ -2028,7 +2034,7 @@ static void spl_filesystem_file_rewind(zval * this_ptr, spl_filesystem_object *i
 	intern->u.file.current_line_num = 0;
 
 	if (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_AHEAD)) {
-		spl_filesystem_file_read_line(this_ptr, intern);
+		spl_filesystem_file_read_line(this_ptr, intern, true);
 	}
 } /* }}} */
 
@@ -2182,7 +2188,7 @@ PHP_METHOD(SplFileObject, current)
 	CHECK_SPL_FILE_OBJECT_IS_INITIALIZED(intern);
 
 	if (!intern->u.file.current_line && Z_ISUNDEF(intern->u.file.current_zval)) {
-		spl_filesystem_file_read_line(ZEND_THIS, intern);
+		spl_filesystem_file_read_line(ZEND_THIS, intern, true);
 	}
 	if (intern->u.file.current_line && (!SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_CSV) || Z_ISUNDEF(intern->u.file.current_zval))) {
 		RETURN_STRINGL(intern->u.file.current_line, intern->u.file.current_line_len);
@@ -2221,7 +2227,7 @@ PHP_METHOD(SplFileObject, next)
 
 	spl_filesystem_file_free_line(intern);
 	if (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_AHEAD)) {
-		spl_filesystem_file_read_line(ZEND_THIS, intern);
+		spl_filesystem_file_read_line(ZEND_THIS, intern, true);
 	}
 	intern->u.file.current_line_num++;
 } /* }}} */
@@ -2339,7 +2345,7 @@ PHP_METHOD(SplFileObject, fgetcsv)
 		}
 	}
 
-	if (spl_filesystem_file_read_csv(intern, delimiter, enclosure, escape, return_value) == FAILURE) {
+	if (spl_filesystem_file_read_csv(intern, delimiter, enclosure, escape, return_value, true) == FAILURE) {
 		RETURN_FALSE;
 	}
 }
@@ -2720,7 +2726,7 @@ PHP_METHOD(SplFileObject, seek)
 	spl_filesystem_file_rewind(ZEND_THIS, intern);
 
 	for (i = 0; i < line_pos; i++) {
-		if (spl_filesystem_file_read_line(ZEND_THIS, intern) == FAILURE) {
+		if (spl_filesystem_file_read_line(ZEND_THIS, intern, true) == FAILURE) {
 			return;
 		}
 	}
@@ -2740,8 +2746,12 @@ PHP_METHOD(SplFileObject, __toString)
 
 	CHECK_SPL_FILE_OBJECT_IS_INITIALIZED(intern);
 
-	if (!intern->u.file.current_line && Z_ISUNDEF(intern->u.file.current_zval)) {
-		spl_filesystem_file_read_line(ZEND_THIS, intern);
+	if (!intern->u.file.current_line) {
+		ZEND_ASSERT(Z_ISUNDEF(intern->u.file.current_zval));
+		zend_result result = spl_filesystem_file_read_line(ZEND_THIS, intern, false);
+		if (UNEXPECTED(result != SUCCESS)) {
+			RETURN_THROWS();
+		}
 	}
 
 	RETURN_STRINGL(intern->u.file.current_line, intern->u.file.current_line_len);
diff --git a/ext/spl/tests/gh13685.phpt b/ext/spl/tests/gh13685.phpt
@@ -0,0 +1,52 @@
+--TEST--
+GH-13685 (Unexpected null pointer in zend_string.h)
+--FILE--
+<?php
+
+$contents = <<<EOS
+"A", "B", "C"
+"D", "E", "F"
+EOS;
+
+echo "--- Directly call fgetcsv ---\n";
+
+$file = new SplTempFileObject;
+$file->fwrite($contents);
+$file->rewind();
+while (($data = $file->fgetcsv(',', '"', ''))) {
+    var_dump((string) $file);
+}
+try {
+    var_dump((string) $file);
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+echo "--- Use csv control ---\n";
+
+$file = new SplTempFileObject;
+$file->fwrite($contents);
+$file->rewind();
+$file->setFlags(SplFileObject::READ_CSV);
+$file->setCsvControl(',', '"', '');
+foreach ($file as $row) {
+    var_dump((string) $file);
+}
+try {
+    var_dump((string) $file);
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+--- Directly call fgetcsv ---
+string(14) ""A", "B", "C"
+"
+string(13) ""D", "E", "F""
+Cannot read from file php://temp
+--- Use csv control ---
+string(14) ""A", "B", "C"
+"
+string(13) ""D", "E", "F""
+Cannot read from file php://temp

Original file line number	Diff line number	Diff line change
`@@ -1866,6 +1866,11 @@ zend_object_iterator spl_filesystem_tree_get_iterator(zend_class_entry ce, zva`
`1866`	`1866`	`}`
`1867`	`1867`	`/* }}} */`
`1868`	`1868`
	`1869`	`+static ZEND_COLD void spl_filesystem_file_cannot_read(spl_filesystem_object *intern)`
	`1870`	`+{`
	`1871`	`+ zend_throw_exception_ex(spl_ce_RuntimeException, 0, "Cannot read from file %s", ZSTR_VAL(intern->file_name));`
	`1872`	`+}`
	`1873`	`+`
`1869`	`1874`	`static zend_result spl_filesystem_file_read_ex(spl_filesystem_object *intern, bool silent, zend_long line_add, bool csv)`
`1870`	`1875`	`{`
`1871`	`1876`	`char *buf;`
`@@ -1875,7 +1880,7 @@ static zend_result spl_filesystem_file_read_ex(spl_filesystem_object *intern, bo`
`1875`	`1880`
`1876`	`1881`	`if (php_stream_eof(intern->u.file.stream)) {`
`1877`	`1882`	`if (!silent) {`
`1878`		`- zend_throw_exception_ex(spl_ce_RuntimeException, 0, "Cannot read from file %s", ZSTR_VAL(intern->file_name));`
	`1883`	`+ spl_filesystem_file_cannot_read(intern);`
`1879`	`1884`	`}`
`1880`	`1885`	`return FAILURE;`
`1881`	`1886`	`}`
`@@ -1930,10 +1935,10 @@ static bool is_line_empty(spl_filesystem_object *intern)`
`1930`	`1935`	`\|\| (current_line_len == 2 && current_line[0] == '\r' && current_line[1] == '\n'))));`
`1931`	`1936`	`}`
`1932`	`1937`
`1933`		`-static zend_result spl_filesystem_file_read_csv(spl_filesystem_object intern, char delimiter, char enclosure, int escape, zval return_value) /* {{{ */`
	`1938`	`+static zend_result spl_filesystem_file_read_csv(spl_filesystem_object intern, char delimiter, char enclosure, int escape, zval return_value, bool silent) /* {{{ */`
`1934`	`1939`	`{`
`1935`	`1940`	`do {`
`1936`		`- zend_result ret = spl_filesystem_file_read(intern, /* silent / true, / csv */ true);`
	`1941`	`+ zend_result ret = spl_filesystem_file_read(intern, silent, /* csv */ true);`
`1937`	`1942`	`if (ret != SUCCESS) {`
`1938`	`1943`	`return ret;`
`1939`	`1944`	`}`
`@@ -1959,19 +1964,21 @@ static zend_result spl_filesystem_file_read_csv(spl_filesystem_object *intern, c`
`1959`	`1964`	`}`
`1960`	`1965`	`/* }}} */`
`1961`	`1966`
`1962`		`-/* Call to this function reads a line in a "silent" fashion and does not throw an exception */`
`1963`		`-static zend_result spl_filesystem_file_read_line_ex(zval * this_ptr, spl_filesystem_object intern) / {{{ */`
	`1967`	`+static zend_result spl_filesystem_file_read_line_ex(zval * this_ptr, spl_filesystem_object intern, bool silent) / {{{ */`
`1964`	`1968`	`{`
`1965`	`1969`	`zval retval;`
`1966`	`1970`
`1967`	`1971`	`/* 1) use fgetcsv? 2) overloaded call the function, 3) do it directly */`
`1968`	`1972`	`if (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_CSV)) {`
`1969`		`- return spl_filesystem_file_read_csv(intern, intern->u.file.delimiter, intern->u.file.enclosure, intern->u.file.escape, NULL);`
	`1973`	`+ return spl_filesystem_file_read_csv(intern, intern->u.file.delimiter, intern->u.file.enclosure, intern->u.file.escape, NULL, silent);`
`1970`	`1974`	`}`
`1971`	`1975`	`if (intern->u.file.func_getCurr->common.scope != spl_ce_SplFileObject) {`
`1972`	`1976`	`spl_filesystem_file_free_line(intern);`
`1973`	`1977`
`1974`	`1978`	`if (php_stream_eof(intern->u.file.stream)) {`
	`1979`	`+ if (!silent) {`
	`1980`	`+ spl_filesystem_file_cannot_read(intern);`
	`1981`	`+ }`
`1975`	`1982`	`return FAILURE;`
`1976`	`1983`	`}`
`1977`	`1984`	`zend_call_method_with_0_params(Z_OBJ_P(this_ptr), Z_OBJCE_P(this_ptr), &intern->u.file.func_getCurr, "getCurrentLine", &retval);`
`@@ -1995,18 +2002,17 @@ static zend_result spl_filesystem_file_read_line_ex(zval * this_ptr, spl_filesys`
`1995`	`2002`	`zval_ptr_dtor(&retval);`
`1996`	`2003`	`return SUCCESS;`
`1997`	`2004`	`} else {`
`1998`		`- return spl_filesystem_file_read(intern, /* silent / true, / csv */ false);`
	`2005`	`+ return spl_filesystem_file_read(intern, silent, /* csv */ false);`
`1999`	`2006`	`}`
`2000`	`2007`	`} /* }}} */`
`2001`	`2008`
`2002`		`-/* Call to this function reads a line in a "silent" fashion and does not throw an exception */`
`2003`		`-static zend_result spl_filesystem_file_read_line(zval * this_ptr, spl_filesystem_object intern) / {{{ */`
	`2009`	`+static zend_result spl_filesystem_file_read_line(zval * this_ptr, spl_filesystem_object intern, bool silent) / {{{ */`
`2004`	`2010`	`{`
`2005`		`- zend_result ret = spl_filesystem_file_read_line_ex(this_ptr, intern);`
	`2011`	`+ zend_result ret = spl_filesystem_file_read_line_ex(this_ptr, intern, silent);`
`2006`	`2012`
`2007`	`2013`	`while (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_SKIP_EMPTY) && ret == SUCCESS && is_line_empty(intern)) {`
`2008`	`2014`	`spl_filesystem_file_free_line(intern);`
`2009`		`- ret = spl_filesystem_file_read_line_ex(this_ptr, intern);`
	`2015`	`+ ret = spl_filesystem_file_read_line_ex(this_ptr, intern, silent);`
`2010`	`2016`	`}`
`2011`	`2017`
`2012`	`2018`	`return ret;`
`@@ -2028,7 +2034,7 @@ static void spl_filesystem_file_rewind(zval * this_ptr, spl_filesystem_object *i`
`2028`	`2034`	`intern->u.file.current_line_num = 0;`
`2029`	`2035`
`2030`	`2036`	`if (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_AHEAD)) {`
`2031`		`- spl_filesystem_file_read_line(this_ptr, intern);`
	`2037`	`+ spl_filesystem_file_read_line(this_ptr, intern, true);`
`2032`	`2038`	`}`
`2033`	`2039`	`} /* }}} */`
`2034`	`2040`
`@@ -2182,7 +2188,7 @@ PHP_METHOD(SplFileObject, current)`
`2182`	`2188`	`CHECK_SPL_FILE_OBJECT_IS_INITIALIZED(intern);`
`2183`	`2189`
`2184`	`2190`	`if (!intern->u.file.current_line && Z_ISUNDEF(intern->u.file.current_zval)) {`
`2185`		`- spl_filesystem_file_read_line(ZEND_THIS, intern);`
	`2191`	`+ spl_filesystem_file_read_line(ZEND_THIS, intern, true);`
`2186`	`2192`	`}`
`2187`	`2193`	`if (intern->u.file.current_line && (!SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_CSV) \|\| Z_ISUNDEF(intern->u.file.current_zval))) {`
`2188`	`2194`	`RETURN_STRINGL(intern->u.file.current_line, intern->u.file.current_line_len);`
`@@ -2221,7 +2227,7 @@ PHP_METHOD(SplFileObject, next)`
`2221`	`2227`
`2222`	`2228`	`spl_filesystem_file_free_line(intern);`
`2223`	`2229`	`if (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_AHEAD)) {`
`2224`		`- spl_filesystem_file_read_line(ZEND_THIS, intern);`
	`2230`	`+ spl_filesystem_file_read_line(ZEND_THIS, intern, true);`
`2225`	`2231`	`}`
`2226`	`2232`	`intern->u.file.current_line_num++;`
`2227`	`2233`	`} /* }}} */`
`@@ -2339,7 +2345,7 @@ PHP_METHOD(SplFileObject, fgetcsv)`
`2339`	`2345`	`}`
`2340`	`2346`	`}`
`2341`	`2347`
`2342`		`- if (spl_filesystem_file_read_csv(intern, delimiter, enclosure, escape, return_value) == FAILURE) {`
	`2348`	`+ if (spl_filesystem_file_read_csv(intern, delimiter, enclosure, escape, return_value, true) == FAILURE) {`
`2343`	`2349`	`RETURN_FALSE;`
`2344`	`2350`	`}`
`2345`	`2351`	`}`
`@@ -2720,7 +2726,7 @@ PHP_METHOD(SplFileObject, seek)`
`2720`	`2726`	`spl_filesystem_file_rewind(ZEND_THIS, intern);`
`2721`	`2727`
`2722`	`2728`	`for (i = 0; i < line_pos; i++) {`
`2723`		`- if (spl_filesystem_file_read_line(ZEND_THIS, intern) == FAILURE) {`
	`2729`	`+ if (spl_filesystem_file_read_line(ZEND_THIS, intern, true) == FAILURE) {`
`2724`	`2730`	`return;`
`2725`	`2731`	`}`
`2726`	`2732`	`}`
`@@ -2740,8 +2746,12 @@ PHP_METHOD(SplFileObject, __toString)`
`2740`	`2746`
`2741`	`2747`	`CHECK_SPL_FILE_OBJECT_IS_INITIALIZED(intern);`
`2742`	`2748`
`2743`		`- if (!intern->u.file.current_line && Z_ISUNDEF(intern->u.file.current_zval)) {`
`2744`		`- spl_filesystem_file_read_line(ZEND_THIS, intern);`
	`2749`	`+ if (!intern->u.file.current_line) {`
	`2750`	`+ ZEND_ASSERT(Z_ISUNDEF(intern->u.file.current_zval));`
	`2751`	`+ zend_result result = spl_filesystem_file_read_line(ZEND_THIS, intern, false);`
	`2752`	`+ if (UNEXPECTED(result != SUCCESS)) {`
	`2753`	`+ RETURN_THROWS();`
	`2754`	`+ }`
`2745`	`2755`	`}`
`2746`	`2756`
`2747`	`2757`	`RETURN_STRINGL(intern->u.file.current_line, intern->u.file.current_line_len);`