From 888242c30d822392953e1b5f4fc289a96e9da5e0 Mon Sep 17 00:00:00 2001
From: xXx-caillou-xXx
Date: Tue, 28 Aug 2018 18:13:29 +0200
Subject: Fix a SIGSEGV on user-created function's return value

---
 src/sp_execute.c                                        | 14 ++++++++------
 src/tests/config/config_disabled_functions_ret_user.ini |  1 +
 src/tests/disabled_functions_ret_user.phpt              | 16 ++++++++++++++++
 src/tests/disabled_functions_ret_user_used.phpt         | 15 +++++++++++++++
 4 files changed, 40 insertions(+), 6 deletions(-)
 create mode 100644 src/tests/config/config_disabled_functions_ret_user.ini
 create mode 100644 src/tests/disabled_functions_ret_user.phpt
 create mode 100644 src/tests/disabled_functions_ret_user_used.phpt

(limited to 'src')

diff --git a/src/sp_execute.c b/src/sp_execute.c
index 4b7d6d0..844647e 100644
--- a/src/sp_execute.c
+++ b/src/sp_execute.c
@@ -187,14 +187,16 @@ static void sp_execute_ex(zend_execute_data *execute_data) {
 
     orig_execute_ex(execute_data);
 
-    if (UNEXPECTED(
+    if (EX(return_value) != NULL) {
+      if (UNEXPECTED(
             true ==
             should_drop_on_ret_ht(
-                EX(return_value), function_name,
-                SNUFFLEUPAGUS_G(config)
-                    .config_disabled_functions_reg_ret->disabled_functions,
-                SNUFFLEUPAGUS_G(config).config_disabled_functions_ret))) {
-      sp_terminate();
+              EX(return_value), function_name,
+              SNUFFLEUPAGUS_G(config)
+              .config_disabled_functions_reg_ret->disabled_functions,
+              SNUFFLEUPAGUS_G(config).config_disabled_functions_ret))) {
+        sp_terminate();
+      }
     }
     efree(function_name);
   } else {
diff --git a/src/tests/config/config_disabled_functions_ret_user.ini b/src/tests/config/config_disabled_functions_ret_user.ini
new file mode 100644
index 0000000..d214376
--- /dev/null
+++ b/src/tests/config/config_disabled_functions_ret_user.ini
@@ -0,0 +1 @@
+sp.disable_function.function("qwe").ret("asd").drop();
diff --git a/src/tests/disabled_functions_ret_user.phpt b/src/tests/disabled_functions_ret_user.phpt
new file mode 100644
index 0000000..597a6b8
--- /dev/null
+++ b/src/tests/disabled_functions_ret_user.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Check NULL return value for user func
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_ret_user.ini
+--FILE--
+<?php 
+function qwe() {
+  return "asd";
+}
+qwe();
+echo 1;
+?>
+--EXPECT--
+1
diff --git a/src/tests/disabled_functions_ret_user_used.phpt b/src/tests/disabled_functions_ret_user_used.phpt
new file mode 100644
index 0000000..7524b45
--- /dev/null
+++ b/src/tests/disabled_functions_ret_user_used.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Check return value for user func
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_disabled_functions_ret_user.ini
+--FILE--
+<?php 
+function qwe() {
+  return "asd";
+}
+echo qwe();
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on return of the function 'qwe', because the function returned 'asd', which matched a rule in %a/tests/disabled_functions_ret_user_used.php on line %d
-- 
cgit v1.3