Fix phpGH-12186: segfault copying/cloning a finalized HashContext

Closes php#12186
MaxSem · Sep 12, 2023 · 95cd40c · 95cd40c
1 parent 8f8f31a
commit 95cd40c
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 2 deletions.
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
diff --git a/ext/hash/hash.c b/ext/hash/hash.c
@@ -681,7 +681,7 @@ PHP_FUNCTION(hash_init)
 
 #define PHP_HASHCONTEXT_VERIFY(hash) { \
 	if (!hash->context) { \
-		zend_argument_type_error(1, "must be a valid Hash Context resource"); \
+		zend_argument_type_error(1, "must be a valid, non-finalized HashContext"); \
 		RETURN_THROWS(); \
 	} \
 }
@@ -838,11 +838,15 @@ PHP_FUNCTION(hash_final)
 PHP_FUNCTION(hash_copy)
 {
 	zval *zhash;
+	php_hashcontext_object *context;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &zhash, php_hashcontext_ce) == FAILURE) {
 		RETURN_THROWS();
 	}
 
+	context = php_hashcontext_from_object(Z_OBJ_P(zhash));
+	PHP_HASHCONTEXT_VERIFY(context);
+
 	RETVAL_OBJ(Z_OBJ_HANDLER_P(zhash, clone_obj)(Z_OBJ_P(zhash)));
 
 	if (php_hashcontext_from_object(Z_OBJ_P(return_value))->context == NULL) {
@@ -1395,6 +1399,11 @@ static zend_object *php_hashcontext_clone(zend_object *zobj) {
 	zend_object *znew = php_hashcontext_create(zobj->ce);
 	php_hashcontext_object *newobj = php_hashcontext_from_object(znew);
 
+	if (!oldobj->context) {
+		zend_throw_exception(zend_ce_value_error, "Cannot clone a finalized HashContext", 0);
+		return NULL;
+	}
+
 	zend_objects_clone_members(znew, zobj);
 
 	newobj->ops = oldobj->ops;

diff --git a/ext/hash/tests/gh12186_1.phpt b/ext/hash/tests/gh12186_1.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Hash: bug #12186 - segfault in hash_copy() on a finalized context
+--FILE--
+<?php
+
+$c = hash_init('sha1');
+hash_final($c);
+hash_copy($c);
+
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: hash_copy(): Argument #1 ($context) must be a valid, non-finalized HashContext in %s:5
+Stack trace:
+#0 %s(5): hash_copy(Object(HashContext))
+#1 {main}
+  thrown in %s on line 5
diff --git a/ext/hash/tests/gh12186_2.phpt b/ext/hash/tests/gh12186_2.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Hash: bug #12186 - segfault when cloning a finalized context
+--FILE--
+<?php
+
+$c = hash_init('sha1');
+hash_final($c);
+clone $c;
+
+?>
+--EXPECTF--
+Fatal error: Uncaught ValueError: Cannot clone a finalized HashContext in %s
+Stack trace:
+#0 {main}
+  thrown in %s on line 5
diff --git a/ext/hash/tests/reuse.phpt b/ext/hash/tests/reuse.phpt
@@ -14,4 +14,4 @@ catch (\Error $e) {
 
 ?>
 --EXPECT--
-hash_update(): Argument #1 ($context) must be a valid Hash Context resource
+hash_update(): Argument #1 ($context) must be a valid, non-finalized HashContext