Fix GH-16390: dba_open() can segfault for "pathless" streams

`dba_open()` accepts arbitrary stream wrapper paths, but unless no locking (`-`) is specified, we try to determine the underlying file path. If that fails, we need to error out. Closes GH-16498.
php · Oct 20, 2024 · d3b0efe · d3b0efe
1 parent 9ca68e0
commit d3b0efe
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/NEWS b/NEWS
@@ -23,6 +23,9 @@ PHP                                                                        NEWS
     (cmb)
   . Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c). (Derick)
 
+- DBA:
+  . Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams). (cmb)
+
 - DOM:
   . Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
     (nielsdos)

diff --git a/ext/dba/dba.c b/ext/dba/dba.c
@@ -772,11 +772,18 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent)
 			info->lock.fp = php_stream_open_wrapper(lock_name, lock_file_mode, STREAM_MUST_SEEK|REPORT_ERRORS|IGNORE_PATH|persistent_flag, &opened_path);
 			if (info->lock.fp) {
 				if (is_db_lock) {
-					/* replace the path info with the real path of the opened file */
-					pefree(info->path, persistent);
-					info->path = pestrndup(ZSTR_VAL(opened_path), ZSTR_LEN(opened_path), persistent);
+					if (opened_path) {
+						/* replace the path info with the real path of the opened file */
+						pefree(info->path, persistent);
+						info->path = pestrndup(ZSTR_VAL(opened_path), ZSTR_LEN(opened_path), persistent);
+					} else {
+						error = "Unable to determine path for locking";
+					}
 				}
+			}
+			if (opened_path) {
 				zend_string_release_ex(opened_path, 0);
+				opened_path = NULL;
 			}
 		}
 		if (!is_db_lock) {
@@ -788,10 +795,10 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, bool persistent)
 			FREE_PERSISTENT_RESOURCE_KEY();
 			RETURN_FALSE;
 		}
-		if (!php_stream_supports_lock(info->lock.fp)) {
+		if (!error && !php_stream_supports_lock(info->lock.fp)) {
 			error = "Stream does not support locking";
 		}
-		if (php_stream_lock(info->lock.fp, lock_mode)) {
+		if (!error && php_stream_lock(info->lock.fp, lock_mode)) {
 			error = "Unable to establish lock"; /* force failure exit */
 		}
 	}

diff --git a/ext/dba/tests/gh16390.phpt b/ext/dba/tests/gh16390.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-16390 (dba_open() can segfault for "pathless" streams)
+--EXTENSIONS--
+dba
+--FILE--
+<?php
+$file = 'data:text/plain;z=y;uri=eviluri;mediatype=wut?;mediatype2=hello,somedata';
+$db = dba_open($file, 'c', 'inifile');
+?>
+--EXPECTF--
+Warning: dba_open(): Driver initialization failed for handler: inifile: Unable to determine path for locking in %s on line %d