Fixed bug #72157 (use-after-free caused by dba_open)

Author: laruence

NEWS

@@ -20,6 +20,9 @@ PHP                                                                        NEWS
 - Curl:
   . Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick)
 
+- DBA:
+  . Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence)
+
 - JSON:
   . Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
     (Laruence)

ext/dba/dba.c

@@ -658,11 +658,7 @@ static void php_dba_open(INTERNAL_FUNCTION_PARAMETERS, int persistent)
 
 	/* we only take string arguments */
 	for (i = 0; i < ac; i++) {
-		if (Z_TYPE(args[i]) != IS_STRING) {
-			convert_to_string_ex(&args[i]);
-		} else if (Z_REFCOUNTED(args[i])) {
-			Z_ADDREF(args[i]);
-		}
+		ZVAL_STR(&args[i], zval_get_string(&args[i]));
 		keylen += Z_STRLEN(args[i]);
 	}
 

ext/dba/tests/bug72157.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Bug #72157 (use-after-free caused by dba_open)
+--SKIPIF--
+<?php 
+	require_once(dirname(__FILE__) .'/skipif.inc');
+?>
+--FILE--
+<?php
+$var0 = fopen(__FILE__,"r");
+$var5 = dba_open(null,$var0);
+$var5 = dba_open(null,$var0);
+$var5 = dba_open(null,$var0);
+$var5 = dba_open($var0,$var0);
+?>
+--EXPECTF--
+Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d
+
+Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d
+
+Warning: dba_open(,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d
+
+Warning: dba_open(Resource id #5,Resource id #5): Illegal DBA mode in %sbug72157.php on line %d