Add a unlink check for php_stream_bucket_unlink

jvoisin · jvoisin · commit 22a31bdc3e6b · 2024-06-06T17:16:49.000+02:00
This is in the same spirit as #13943: low-hanging, not in a hot-path, trivial, removing a limited-linear-write → arbitrary-write primitive, … moreover, given how many filters are available, having some low-hanging hardening there shouldn't hurt. cc @arnaud-lb
diff --git a/main/streams/filter.c b/main/streams/filter.c
@@ -22,6 +22,14 @@
 #include <stddef.h>
 #include <fcntl.h>
 
+#ifndef ZEND_HEAP_CHECK
+# define ZEND_HEAP_CHECK(condition, message)  do { \
+		if (UNEXPECTED(!(condition))) { \
+			zend_mm_panic(message); \
+		} \
+	} while (0)
+#endif
+
 #include "php_streams_int.h"
 
 /* Global filter hash, copied to FG(stream_filters) on registration of volatile filter */
@@ -192,11 +200,14 @@ PHPAPI void php_stream_bucket_append(php_stream_bucket_brigade *brigade, php_str
 PHPAPI void php_stream_bucket_unlink(php_stream_bucket *bucket)
 {
 	if (bucket->prev) {
+		ZEND_HEAP_CHECK(bucket->prev->next == bucket, "Stream bucket list corruption.");
+		}
 		bucket->prev->next = bucket->next;
 	} else if (bucket->brigade) {
 		bucket->brigade->head = bucket->next;
 	}
 	if (bucket->next) {
+		ZEND_HEAP_CHECK(bucket->next->prev == bucket, "Stream bucket list corruption.");
 		bucket->next->prev = bucket->prev;
 	} else if (bucket->brigade) {
 		bucket->brigade->tail = bucket->prev;
