Fix phpGH-13680: Segfault with session_decode and compilation error

nielsdos · nielsdos · commit 6985aff7c31d · 2024-03-13T17:47:25.000+01:00
It's illegal to return from a bailout because that doesn't restore the original bailout data. Return outside of it. Test by YuanchengJiang Closes phpGH-13689.
diff --git a/NEWS b/NEWS
@@ -27,6 +27,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
     modes). (timwolla)
 
+- Session:
+  . Fixed bug GH-13680 (Segfault with session_decode and compilation error).
+    (nielsdos)
+
 - Sockets:
   . Fixed bug GH-13604 (socket_getsockname returns random characters in the end
     of the socket name). (David Carlier)
diff --git a/ext/session/session.c b/ext/session/session.c
@@ -259,16 +259,17 @@ static zend_result php_session_decode(zend_string *data) /* {{{ */
 		php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");
 		return FAILURE;
 	}
+	zend_result result = SUCCESS;
 	zend_try {
 		if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)) == FAILURE) {
 			php_session_cancel_decode();
-			return FAILURE;
+			result = FAILURE;
 		}
 	} zend_catch {
 		php_session_cancel_decode();
 		zend_bailout();
 	} zend_end_try();
-	return SUCCESS;
+	return result;
 }
 /* }}} */
 
diff --git a/ext/session/tests/gh13680.phpt b/ext/session/tests/gh13680.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-13680 (Segfault with session_decode and compilation error)
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--INI--
+session.use_cookies=0
+session.use_strict_mode=0
+session.cache_limiter=
+session.serialize_handler=php_serialize
+session.save_handler=files
+error_reporting=E_ALL
+--FILE--
+<?php
+session_start();
+session_decode('foo');
+class Test extends DateTime {
+    public static function createFromFormat($format, $datetime, $timezone = null): Wrong {}
+}
+?>
+--EXPECTF--
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+
+Fatal error: Could not check compatibility between Test::createFromFormat($format, $datetime, $timezone = null): Wrong and DateTime::createFromFormat(string $format, string $datetime, ?DateTimeZone $timezone = null): DateTime|false, because class Wrong is not available in %s on line %d

Original file line number	Diff line number	Diff line change
`@@ -259,16 +259,17 @@ static zend_result php_session_decode(zend_string data) / {{{ */`
`259`	`259`	`php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");`
`260`	`260`	`return FAILURE;`
`261`	`261`	`}`
	`262`	`+ zend_result result = SUCCESS;`
`262`	`263`	`zend_try {`
`263`	`264`	`if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)) == FAILURE) {`
`264`	`265`	`php_session_cancel_decode();`
`265`		`- return FAILURE;`
	`266`	`+ result = FAILURE;`
`266`	`267`	`}`
`267`	`268`	`} zend_catch {`
`268`	`269`	`php_session_cancel_decode();`
`269`	`270`	`zend_bailout();`
`270`	`271`	`} zend_end_try();`
`271`		`- return SUCCESS;`
	`272`	`+ return result;`
`272`	`273`	`}`
`273`	`274`	`/* }}} */`
`274`	`275`