From 38e553e4182437111432841651cca1c6ce2a8632 Mon Sep 17 00:00:00 2001 From: Katherine456719 Date: Sat, 15 Mar 2025 23:24:06 +0200 Subject: [PATCH] Fix GH-18082: Memory leaks in fuzzer SAPI error paths Closes GH-18081. --- NEWS | 4 ++++ sapi/fuzzer/fuzzer-json.c | 11 +++++------ sapi/fuzzer/fuzzer-mbregex.c | 9 +++++---- sapi/fuzzer/fuzzer-unserialize.c | 7 ++++--- sapi/fuzzer/fuzzer-unserializehash.c | 8 ++++---- 5 files changed, 22 insertions(+), 17 deletions(-) diff --git a/NEWS b/NEWS index 8c9400b4a66..59b66e85f84 100644 --- a/NEWS +++ b/NEWS @@ -25,6 +25,10 @@ PHP NEWS - Embed: . Fixed bug GH-8533 (Unable to link dynamic libphp on Mac). (Kévin Dunglas) +- Fuzzer: + . Fixed bug GH-18081 (Memory leaks in error paths of fuzzer SAPI). + (Lung-Alexandra) + - Mbstring: . Fixed bug GH-17989 (mb_output_handler crash with unset http_output_conv_mimetypes). (nielsdos) diff --git a/sapi/fuzzer/fuzzer-json.c b/sapi/fuzzer/fuzzer-json.c index 4335598bc3c..f5c00d77d99 100644 --- a/sapi/fuzzer/fuzzer-json.c +++ b/sapi/fuzzer/fuzzer-json.c @@ -15,8 +15,6 @@ +----------------------------------------------------------------------+ */ - - #include "fuzzer.h" #include "Zend/zend.h" @@ -31,14 +29,15 @@ #include "ext/json/php_json_parser.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - char *data = malloc(Size+1); - memcpy(data, Data, Size); - data[Size] = '\0'; - if (fuzzer_request_startup() == FAILURE) { + if (fuzzer_request_startup() == FAILURE){ return 0; } + char *data = malloc(Size + 1); + memcpy(data, Data, Size); + data[Size] = '\0'; + for (int option = 0; option <=1; ++option) { zval result; php_json_parser parser; diff --git a/sapi/fuzzer/fuzzer-mbregex.c b/sapi/fuzzer/fuzzer-mbregex.c index 970a7b5baee..afcd2b5c1ba 100644 --- a/sapi/fuzzer/fuzzer-mbregex.c +++ b/sapi/fuzzer/fuzzer-mbregex.c @@ -30,15 +30,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { #ifdef HAVE_MBREGEX - char *args[2]; - char *data = malloc(Size+1); - memcpy(data, Data, Size); - data[Size] = '\0'; if (fuzzer_request_startup() == FAILURE) { return 0; } + char *args[2]; + char *data = malloc(Size+1); + memcpy(data, Data, Size); + data[Size] = '\0'; + fuzzer_setup_dummy_frame(); args[0] = data; diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c index ff26e5b1e8d..d58b35ca32b 100644 --- a/sapi/fuzzer/fuzzer-unserialize.c +++ b/sapi/fuzzer/fuzzer-unserialize.c @@ -30,14 +30,15 @@ #include "ext/standard/php_var.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - unsigned char *orig_data = malloc(Size+1); - memcpy(orig_data, Data, Size); - orig_data[Size] = '\0'; if (fuzzer_request_startup() == FAILURE) { return 0; } + unsigned char *orig_data = malloc(Size+1); + memcpy(orig_data, Data, Size); + orig_data[Size] = '\0'; + fuzzer_setup_dummy_frame(); { diff --git a/sapi/fuzzer/fuzzer-unserializehash.c b/sapi/fuzzer/fuzzer-unserializehash.c index 5d29eb5fb8c..03c64dcbca0 100644 --- a/sapi/fuzzer/fuzzer-unserializehash.c +++ b/sapi/fuzzer/fuzzer-unserializehash.c @@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) { } ++Start; + if (fuzzer_request_startup() == FAILURE) { + return 0; + } + size_t Size = (Data + FullSize) - Start; unsigned char *orig_data = malloc(Size+1); memcpy(orig_data, Start, Size); orig_data[Size] = '\0'; - if (fuzzer_request_startup() == FAILURE) { - return 0; - } - fuzzer_setup_dummy_frame(); {