Fix GH-10692: PHP crashes on Windows when an inexistent filename is executed

nielsdos · devnexen · commit df579adac7b9 · 2023-02-25T14:32:55.000Z
Fixes GH-10692 php_fopen_primary_script() does not initialize all fields of zend_file_handle. So when it fails and when fastcgi is true, the zend_destroy_file_handle() function will try to free uninitialized pointers, causing a segmentation fault. Fix it by zero-initializing file handles just like the zend_stream_init_fp() counterpart does. Closes GH-10697.
diff --git a/NEWS b/NEWS
@@ -16,6 +16,8 @@ PHP                                                                        NEWS
     misleadingly with the wrong return type. (nielsdos)
   . Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer
     constant name). (nielsdos)
+  . Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle()
+    freeing dangling pointers on the handle as it was uninitialized. (nielsdos)
 
 - Curl:
   . Fixed deprecation warning at compile time. (Max Kellermann)
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
@@ -353,6 +353,8 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle)
 	size_t length;
 	bool orig_display_errors;
 
+	memset(file_handle, 0, sizeof(zend_file_handle));
+
 	path_info = SG(request_info).request_uri;
 #if HAVE_PWD_H
 	if (PG(user_dir) && *PG(user_dir) && path_info && '/' == path_info[0] && '~' == path_info[1]) {
