Fix segmentation fault in Randomizer::getBytes() if a user engine throws (#9055)

TimWolla · web-flow · commit 998ede7123a4 · 2022-07-20T17:32:22.000+02:00
This fixes:

    ==374077== Use of uninitialised value of size 8
    ==374077==    at 0x532B06: generate (engine_user.c:39)
    ==374077==    by 0x533F71: zim_Random_Randomizer_getBytes (randomizer.c:152)
    ==374077==    by 0x7F581D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1885)
    ==374077==    by 0x8725BE: execute_ex (zend_vm_execute.h:55930)
    ==374077==    by 0x877DB4: zend_execute (zend_vm_execute.h:60253)
    ==374077==    by 0x7B0FD4: zend_execute_scripts (zend.c:1770)
    ==374077==    by 0x6F1647: php_execute_script (main.c:2535)
    ==374077==    by 0x937DA4: do_cli (php_cli.c:964)
    ==374077==    by 0x938C3A: main (php_cli.c:1333)
    ==374077==
    ==374077== Invalid read of size 8
    ==374077==    at 0x532B06: generate (engine_user.c:39)
    ==374077==    by 0x533F71: zim_Random_Randomizer_getBytes (randomizer.c:152)
    ==374077==    by 0x7F581D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1885)
    ==374077==    by 0x8725BE: execute_ex (zend_vm_execute.h:55930)
    ==374077==    by 0x877DB4: zend_execute (zend_vm_execute.h:60253)
    ==374077==    by 0x7B0FD4: zend_execute_scripts (zend.c:1770)
    ==374077==    by 0x6F1647: php_execute_script (main.c:2535)
    ==374077==    by 0x937DA4: do_cli (php_cli.c:964)
    ==374077==    by 0x938C3A: main (php_cli.c:1333)
    ==374077==  Address 0x11 is not stack'd, malloc'd or (recently) free'd
diff --git a/ext/random/engine_user.c b/ext/random/engine_user.c
@@ -30,6 +30,11 @@ static uint64_t generate(php_random_status *status)
 
 	zend_call_known_instance_method_with_0_params(s->generate_method, s->object, &retval);
 
+	if (EG(exception)) {
+		status->last_unsafe = true;
+		return 0;
+	}
+
 	/* Store generated size in a state */
 	size = Z_STRLEN(retval);
 
diff --git a/ext/random/tests/03_randomizer/user_exits.phpt b/ext/random/tests/03_randomizer/user_exits.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Random: Randomizer: User: Engine exits
+--FILE--
+<?php
+
+$randomizer = (new \Random\Randomizer(
+    new class () implements \Random\Engine {
+        public function generate(): string
+        {
+            exit("Exit\n");
+        }
+    }
+));
+
+var_dump($randomizer->getBytes(1));
+
+?>
+--EXPECT--
+Exit
diff --git a/ext/random/tests/03_randomizer/user_throws.phpt b/ext/random/tests/03_randomizer/user_throws.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Random: Randomizer: User: Engine throws
+--FILE--
+<?php
+
+$randomizer = (new \Random\Randomizer(
+    new class () implements \Random\Engine {
+        public function generate(): string
+        {
+            throw new Exception('Error');
+        }
+    }
+));
+
+var_dump($randomizer->getBytes(1));
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Error in %s:%d
+Stack trace:
+#0 [internal function]: Random\Engine@anonymous->generate()
+#1 %s(%d): Random\Randomizer->getBytes(1)
+#2 {main}
+
+Next RuntimeException: Random number generation failed in %s:%d
+Stack trace:
+#0 %s(%d): Random\Randomizer->getBytes(1)
+#1 {main}
+  thrown in %s on line %d
