ext/ldap: Fix phpGH-16101 (Segfaults in php_ldap_do_search() when LDA…

…Ps is not a list)
Girgias · Sep 28, 2024 · 44f48dc · 44f48dc
1 parent 15a0c3a
commit 44f48dc
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -22,6 +22,8 @@ PHP                                                                        NEWS
 - LDAP:
   . Fixed bug GH-16032 (Various NULL pointer dereferencements in
     ldap_modify_batch()). (Girgias)
+  . Fixed bug GH-16101 (Segfault in ldap_list(), ldap_read(), and ldap_search()
+    when LDAPs array is not a list). (Girgias)
 
 - PHPDBG:
   . Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)

diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
@@ -1429,6 +1429,11 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 			ret = 0;
 			goto cleanup;
 		}
+		if (!zend_array_is_list(Z_ARRVAL_P(link))) {
+			zend_argument_value_error(1, "must be a list");
+			ret = 0;
+			goto cleanup;
+		}
 
 		if (base_dn_ht) {
 			nbases = zend_hash_num_elements(base_dn_ht);

diff --git a/ext/ldap/tests/gh16101.phpt b/ext/ldap/tests/gh16101.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug GH-16101: Segfault in ldap_list(), ldap_read(), and ldap_search() when LDAPs array is not a list
+--EXTENSIONS--
+ldap
+--FILE--
+<?php
+
+/* We are assuming 3333 is not connectable */
+$ldap = ldap_connect('ldap://127.0.0.1:3333');
+$valid_dn = "cn=userA,something";
+$valid_filter = "";
+
+$ldaps_dict = [
+    "hello"  => $ldap,
+    "world"  => $ldap,
+];
+try {
+    var_dump(ldap_list($ldaps_dict, $valid_dn, $valid_filter));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+
+?>
+--EXPECT--
+ValueError: ldap_list(): Argument #1 ($ldap) must be a list