From d9029a4136643fd7f4d7a82a3327e20ac48f2404 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 2 Sep 2021 12:04:43 +0200 Subject: [PATCH 1/3] Fix #81407: shmop_open won't attach and causes php to crash We need to allocate buffers for the file mapping names which are large enough for all potential keys (`key_t` is defined as `int` on Windows). --- TSRM/tsrm_win32.c | 9 ++++++--- ext/shmop/tests/bug81407.phpt | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 ext/shmop/tests/bug81407.phpt diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c index 75240282f61bb..18f66533dc7b9 100644 --- a/TSRM/tsrm_win32.c +++ b/TSRM/tsrm_win32.c @@ -611,16 +611,19 @@ TSRM_API int pclose(FILE *stream) return termstat; }/*}}}*/ +#define SEGMENT_PREFIX "TSRM_SHM_SEGMENT:" +#define DESCRIPTOR_PREFIX "TSRM_SHM_DESCRIPTOR:" + TSRM_API int shmget(key_t key, size_t size, int flags) {/*{{{*/ shm_pair *shm; - char shm_segment[26], shm_info[29]; + char shm_segment[sizeof(SEGMENT_PREFIX "4294967295")], shm_info[sizeof(DESCRIPTOR_PREFIX "4294967295")]; HANDLE shm_handle = NULL, info_handle = NULL; BOOL created = FALSE; if (key != IPC_PRIVATE) { - snprintf(shm_segment, sizeof(shm_segment), "TSRM_SHM_SEGMENT:%d", key); - snprintf(shm_info, sizeof(shm_info), "TSRM_SHM_DESCRIPTOR:%d", key); + snprintf(shm_segment, sizeof(shm_segment), SEGMENT_PREFIX "%d", key); + snprintf(shm_info, sizeof(shm_info), DESCRIPTOR_PREFIX "%d", key); shm_handle = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, shm_segment); info_handle = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, shm_info); diff --git a/ext/shmop/tests/bug81407.phpt b/ext/shmop/tests/bug81407.phpt new file mode 100644 index 0000000000000..f676e4eddb18d --- /dev/null +++ b/ext/shmop/tests/bug81407.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #81407 (shmop_open won't attach and causes php to crash) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(true) +bool(true) From 89e097ec5e2c654ca2d8df6cb9f9dfd2c9462b71 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 2 Sep 2021 15:59:10 +0200 Subject: [PATCH 2/3] Run test on Windows only It's probably never a good idea to use hard-coded keys (always use `ftok()`), but to reliably reproduce this Windows specific issue we need to, and it shouldn't be an issue on that OS. --- ext/shmop/tests/bug81407.phpt | 1 + 1 file changed, 1 insertion(+) diff --git a/ext/shmop/tests/bug81407.phpt b/ext/shmop/tests/bug81407.phpt index f676e4eddb18d..468e19c09e476 100644 --- a/ext/shmop/tests/bug81407.phpt +++ b/ext/shmop/tests/bug81407.phpt @@ -2,6 +2,7 @@ Bug #81407 (shmop_open won't attach and causes php to crash) --SKIPIF-- --FILE-- From a62e1c1843edcd9b00b4a09a334a9bf76c988f03 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 2 Sep 2021 16:15:29 +0200 Subject: [PATCH 3/3] Cater to INT_MIN Its string representation is longer than that of INT_MAX, and it's permissible here. --- TSRM/tsrm_win32.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c index 18f66533dc7b9..ecf02f2dcd4a4 100644 --- a/TSRM/tsrm_win32.c +++ b/TSRM/tsrm_win32.c @@ -613,11 +613,12 @@ TSRM_API int pclose(FILE *stream) #define SEGMENT_PREFIX "TSRM_SHM_SEGMENT:" #define DESCRIPTOR_PREFIX "TSRM_SHM_DESCRIPTOR:" +#define INT_MIN_AS_STRING "-2147483648" TSRM_API int shmget(key_t key, size_t size, int flags) {/*{{{*/ shm_pair *shm; - char shm_segment[sizeof(SEGMENT_PREFIX "4294967295")], shm_info[sizeof(DESCRIPTOR_PREFIX "4294967295")]; + char shm_segment[sizeof(SEGMENT_PREFIX INT_MIN_AS_STRING)], shm_info[sizeof(DESCRIPTOR_PREFIX INT_MIN_AS_STRING)]; HANDLE shm_handle = NULL, info_handle = NULL; BOOL created = FALSE;