Fixed bug #69111 (Crash in SessionHandler::read()).

Made session save handler abuse much harder than before.

1 files changed, 24 insertions, 3 deletions

diff --git a/ext/session/mod_user_class.c b/ext/session/mod_user_class.c
index 392f09eda1..6768bec867 100644
--- a/ext/session/mod_user_class.c
+++ b/ext/session/mod_user_class.c
@@ -22,6 +22,10 @@
 #include "php_session.h"
 
 #define PS_SANITY_CHECK						\
+	if (PS(session_status) != php_session_active) { \
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Session is not active"); \
+		RETURN_FALSE; \
+	} \
 	if (PS(default_mod) == NULL) {				\
 		php_error_docref(NULL TSRMLS_CC, E_CORE_ERROR, "Cannot call default session handler"); \
 		RETURN_FALSE;						\
@@ -39,7 +43,7 @@
 PHP_METHOD(SessionHandler, open)
 {
 	char *save_path = NULL, *session_name = NULL;
-	int save_path_len, session_name_len;
+	int ret, save_path_len, session_name_len;
 
 	PS_SANITY_CHECK;
 
@@ -48,7 +52,14 @@ PHP_METHOD(SessionHandler, open)
 	}
 
 	PS(mod_user_is_open) = 1;
-	RETVAL_BOOL(SUCCESS == PS(default_mod)->s_open(&PS(mod_data), save_path, session_name TSRMLS_CC));
+	zend_try {
+		ret =PS(default_mod)->s_open(&PS(mod_data), save_path, session_name TSRMLS_CC);
+	} zend_catch {
+		PS(session_status) = php_session_none;
+		zend_bailout();
+	} zend_end_try();
+
+	RETVAL_BOOL(SUCCESS == ret);
 }
 /* }}} */
 
@@ -56,6 +67,8 @@ PHP_METHOD(SessionHandler, open)
    Wraps the old close handler */
 PHP_METHOD(SessionHandler, close)
 {
+	int ret;
+
 	PS_SANITY_CHECK_IS_OPEN;
 
 	// don't return on failure, since not closing the default handler
@@ -63,7 +76,15 @@ PHP_METHOD(SessionHandler, close)
 	zend_parse_parameters_none();
 	
 	PS(mod_user_is_open) = 0;
-	RETVAL_BOOL(SUCCESS == PS(default_mod)->s_close(&PS(mod_data) TSRMLS_CC));
+
+	zend_try {
+		ret = PS(default_mod)->s_close(&PS(mod_data) TSRMLS_CC);
+	} zend_catch {
+		PS(session_status) = php_session_none;
+		zend_bailout();
+	} zend_end_try();
+
+	RETVAL_BOOL(SUCCESS == ret);
 }
 /* }}} */