- Fixed bug #62205 (php-fpm segfaults (null passed to strstr))

Author: Jerome Loyet

NEWS

@@ -68,6 +68,7 @@ PHP                                                                        NEWS
   . Fixed bug #62160 (Add process.priority to set nice(2) priorities). (fat)
   . Fixed bug #61218 (FPM drops connection while receiving some binary values
     in FastCGI requests). (fat)
+  . Fixed bug #62205 (php-fpm segfaults (null passed to strstr)). (fat)
 
 - Intl
   . ResourceBundle constructor now accepts NULL for the first two arguments.

sapi/fpm/fpm/fpm_php.c

@@ -257,3 +257,41 @@ int fpm_php_limit_extensions(char *path) /* {{{ */
 	return 1; /* extension not found: not allowed  */
 }
 /* }}} */
+
+char* fpm_php_get_string_from_table(char *table, char *key TSRMLS_DC) /* {{{ */
+{
+	zval **data, **tmp;
+	char *string_key;
+	uint string_len;
+	ulong num_key;
+	if (!table || !key) {
+		return NULL;
+	}
+
+	/* inspired from ext/standard/info.c */
+
+	zend_is_auto_global(table, strlen(table) TSRMLS_CC);
+
+	/* find the table and ensure it's an array */
+	if (zend_hash_find(&EG(symbol_table), table, strlen(table) + 1, (void **) &data) == SUCCESS && Z_TYPE_PP(data) == IS_ARRAY) {
+
+		/* reset the internal pointer */
+		zend_hash_internal_pointer_reset(Z_ARRVAL_PP(data));
+
+		/* parse the array to look for our key */
+		while (zend_hash_get_current_data(Z_ARRVAL_PP(data), (void **) &tmp) == SUCCESS) {
+			/* ensure the key is a string */
+			if (zend_hash_get_current_key_ex(Z_ARRVAL_PP(data), &string_key, &string_len, &num_key, 0, NULL) == HASH_KEY_IS_STRING) {
+				/* compare to our key */
+				if (!strncmp(string_key, key, string_len)) {
+					return Z_STRVAL_PP(tmp);
+				}
+			}
+			zend_hash_move_forward(Z_ARRVAL_PP(data));
+		}
+	}
+
+	return NULL;
+}
+/* }}} */
+

sapi/fpm/fpm/fpm_php.h

@@ -44,6 +44,7 @@ void fpm_php_soft_quit();
 int fpm_php_init_main();
 int fpm_php_apply_defines_ex(struct key_value_s *kv, int mode);
 int fpm_php_limit_extensions(char *path);
+char* fpm_php_get_string_from_table(char *table, char *key TSRMLS_DC);
 
 #endif
 

sapi/fpm/fpm/fpm_status.c

@@ -14,6 +14,7 @@
 #include "zlog.h"
 #include "fpm_atomic.h"
 #include "fpm_conf.h"
+#include "fpm_php.h"
 #include <ext/standard/html.h>
 
 static char *fpm_status_uri = NULL;
@@ -125,13 +126,13 @@ int fpm_status_handle_request(TSRMLS_D) /* {{{ */
 		}
 
 		/* full status ? */
-		full = SG(request_info).request_uri && strstr(SG(request_info).query_string, "full");
+		full = (fpm_php_get_string_from_table("_GET", "full" TSRMLS_CC) != NULL);
 		short_syntax = short_post = NULL;
 		full_separator = full_pre = full_syntax = full_post = NULL;
 		encode = 0;
 
 		/* HTML */
-		if (SG(request_info).query_string && strstr(SG(request_info).query_string, "html")) {
+		if (fpm_php_get_string_from_table("_GET", "html" TSRMLS_CC)) {
 			sapi_add_header_ex(ZEND_STRL("Content-Type: text/html"), 1, 1 TSRMLS_CC);
 			time_format = "%d/%b/%Y:%H:%M:%S %z";
 			encode = 1;
@@ -205,7 +206,7 @@ int fpm_status_handle_request(TSRMLS_D) /* {{{ */
 			}
 
 		/* XML */
-		} else if (SG(request_info).request_uri && strstr(SG(request_info).query_string, "xml")) {
+		} else if (fpm_php_get_string_from_table("_GET", "xml" TSRMLS_CC)) {
 			sapi_add_header_ex(ZEND_STRL("Content-Type: text/xml"), 1, 1 TSRMLS_CC);
 			time_format = "%s";
 			encode = 1;
@@ -256,7 +257,7 @@ int fpm_status_handle_request(TSRMLS_D) /* {{{ */
 				}
 
 			/* JSON */
-		} else if (SG(request_info).request_uri && strstr(SG(request_info).query_string, "json")) {
+		} else if (fpm_php_get_string_from_table("_GET", "json" TSRMLS_CC)) {
 			sapi_add_header_ex(ZEND_STRL("Content-Type: application/json"), 1, 1 TSRMLS_CC);
 			time_format = "%s";