From bbee2d7897cd5eaca58deea0177e006c09983fdc Mon Sep 17 00:00:00 2001 From: Jorg Sowa Date: Fri, 3 Jul 2026 19:26:11 +0200 Subject: [PATCH] Fix NULL pointer dereference in SessionHandler::create_sid() s_create_sid() can return NULL when php_random_bytes_throw() fails (e.g. CSPRNG exhaustion), but RETURN_STR() dereferences the string unconditionally. Every other internal caller of s_create_sid() in session.c (php_session_initialize, session_regenerate_id) already NULL-checks the result; this PHP-facing method, reachable from any userland SessionHandler subclass via create_sid(), did not. No dedicated regression test is added: forcing php_random_bytes_throw() to fail is not portably reproducible from a .phpt test (it's a raw getrandom() syscall on Linux and CCRandomGenerateBytes on macOS, neither of which can be faulted from userland), which is also why the existing NULL-checks this mirrors in session.c have none either. --- ext/session/mod_user_class.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ext/session/mod_user_class.c b/ext/session/mod_user_class.c index a6bd69c91a07..d306842d0b9a 100644 --- a/ext/session/mod_user_class.c +++ b/ext/session/mod_user_class.c @@ -149,6 +149,12 @@ PHP_METHOD(SessionHandler, create_sid) PS_SANITY_CHECK; id = PS(default_mod)->s_create_sid(&PS(mod_data)); + if (!id) { + if (!EG(exception)) { + zend_throw_error(NULL, "Failed to create session ID: %s", PS(default_mod)->s_name); + } + RETURN_THROWS(); + } RETURN_STR(id); }