Fix #81407: shmop_open won't attach and causes php to crash

cmb69 · cmb69 · commit f3d24af74fdc · 2021-09-02T23:16:48.000+02:00
We need to allocate buffers for the file mapping names which are large enough for all potential keys (`key_t` is defined as `int` on Windows). Regarding the test: it's probably never a good idea to use hard-coded keys (should always use `ftok()` instead), but to reliably reproduce this Windows specific issue we need to, and it shouldn't be an issue on that OS. Closes GH-7448.
diff --git a/NEWS b/NEWS
@@ -16,6 +16,9 @@ PHP                                                                        NEWS
   . Fixed bug #81353 (segfault with preloading and statically bound closure).
     (Nikita)
 
+- Shmop:
+  . Fixed bug #81407 (shmop_open won't attach and causes php to crash). (cmb)
+
 - Standard:
   . Fixed bug #71542 (disk_total_space does not work with relative paths). (cmb)
   . Fixed bug #81400 (Unterminated string in dns_get_record() results). (cmb)
diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
@@ -611,16 +611,20 @@ TSRM_API int pclose(FILE *stream)
 	return termstat;
 }/*}}}*/
 
+#define SEGMENT_PREFIX "TSRM_SHM_SEGMENT:"
+#define DESCRIPTOR_PREFIX "TSRM_SHM_DESCRIPTOR:"
+#define INT_MIN_AS_STRING "-2147483648"
+
 TSRM_API int shmget(key_t key, size_t size, int flags)
 {/*{{{*/
 	shm_pair *shm;
-	char shm_segment[26], shm_info[29];
+	char shm_segment[sizeof(SEGMENT_PREFIX INT_MIN_AS_STRING)], shm_info[sizeof(DESCRIPTOR_PREFIX INT_MIN_AS_STRING)];
 	HANDLE shm_handle = NULL, info_handle = NULL;
 	BOOL created = FALSE;
 
 	if (key != IPC_PRIVATE) {
-		snprintf(shm_segment, sizeof(shm_segment), "TSRM_SHM_SEGMENT:%d", key);
-		snprintf(shm_info, sizeof(shm_info), "TSRM_SHM_DESCRIPTOR:%d", key);
+		snprintf(shm_segment, sizeof(shm_segment), SEGMENT_PREFIX "%d", key);
+		snprintf(shm_info, sizeof(shm_info), DESCRIPTOR_PREFIX "%d", key);
 
 		shm_handle  = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, shm_segment);
 		info_handle = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, shm_info);
diff --git a/ext/shmop/tests/bug81407.phpt b/ext/shmop/tests/bug81407.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #81407 (shmop_open won't attach and causes php to crash)
+--SKIPIF--
+<?php
+if (PHP_OS_FAMILY !== "Windows") die("skip for Windows only");
+if (!extension_loaded("shmop")) die("skip shmop extension not available");
+?>
+--FILE--
+<?php
+$a = shmop_open(367504384, 'n', 0664, 262144);
+$b = shmop_open(367504385, 'n', 0664, 65536);
+if ($b == false) {
+	$b = shmop_open(367504385, 'w', 0664, 65536);
+}
+var_dump($a !== false, $b !== false);
+?>
+--EXPECT--
+bool(true)
+bool(true)
