From ff2c7dc0f8ebf3ae811b4b13eb7bc7662051a988 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 22 May 2025 23:06:00 +0200 Subject: [PATCH 1/2] Fix leaks with multiple calls to DatePeriod iterator current() Destroy the old value first. We can't skip recreating the value because the object may have been changed in between calls. Closes GH-18624. --- NEWS | 3 ++ ext/date/php_date.c | 1 + ...le_calls_date_period_iterator_current.phpt | 42 +++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 ext/date/tests/multiple_calls_date_period_iterator_current.phpt diff --git a/NEWS b/NEWS index c533ad33e49..4dce12d98f0 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.3.23 +- Date: + . Fix leaks with multiple calls to DatePeriod iterator current(). (nielsdos) + - Intl: . Fix memory leak in intl_datetime_decompose() on failure. (nielsdos) diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 2347fd55706..910149efae6 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -1607,6 +1607,7 @@ static zval *date_period_it_current_data(zend_object_iterator *iter) php_date_obj *newdateobj; /* Create new object */ + zval_ptr_dtor(&iterator->current); php_date_instantiate(get_base_date_class(object->start_ce), &iterator->current); newdateobj = Z_PHPDATE_P(&iterator->current); newdateobj->time = timelib_time_ctor(); diff --git a/ext/date/tests/multiple_calls_date_period_iterator_current.phpt b/ext/date/tests/multiple_calls_date_period_iterator_current.phpt new file mode 100644 index 00000000000..b0e90873e61 --- /dev/null +++ b/ext/date/tests/multiple_calls_date_period_iterator_current.phpt @@ -0,0 +1,42 @@ +--TEST-- +Multiple calls to DatePeriod iterator current() leak objects +--FILE-- +getIterator(); +var_dump($iter->current()); +var_dump($iter->current()); +$iter->current()->setTimestamp(0); +var_dump($iter->current()); + +?> +--EXPECT-- +object(DateTime)#9 (3) { + ["date"]=> + string(26) "2018-12-31 00:00:00.000000" + ["timezone_type"]=> + int(3) + ["timezone"]=> + string(3) "UTC" +} +object(DateTime)#9 (3) { + ["date"]=> + string(26) "2018-12-31 00:00:00.000000" + ["timezone_type"]=> + int(3) + ["timezone"]=> + string(3) "UTC" +} +object(DateTime)#9 (3) { + ["date"]=> + string(26) "2018-12-31 00:00:00.000000" + ["timezone_type"]=> + int(3) + ["timezone"]=> + string(3) "UTC" +} From b39e17b06c4c33ee95dc5c05456e9f794d5a8629 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 25 May 2025 10:17:19 +0200 Subject: [PATCH 2/2] Fix memory leak in tidy output handler on error Closes GH-18649. --- NEWS | 3 +++ ext/tidy/tidy.c | 10 +++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 4dce12d98f0..f790b5164cb 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,9 @@ PHP NEWS - Soap: . Fix memory leaks in php_http.c when call_user_function() fails. (nielsdos) +- Tidy: + . Fix memory leak in tidy output handler on error. (nielsdos) + 05 Jun 2025, PHP 8.3.22 - Core: diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index 831fcb38153..46dd637f40e 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -965,6 +965,11 @@ static int php_tidy_output_handler(void **nothing, php_output_context *output_co TidyBuffer inbuf, outbuf, errbuf; if (TG(clean_output) && (output_context->op & PHP_OUTPUT_HANDLER_START) && (output_context->op & PHP_OUTPUT_HANDLER_FINAL)) { + if (ZEND_SIZE_T_UINT_OVFL(output_context->in.used)) { + php_error_docref(NULL, E_WARNING, "Input string is too long"); + return status; + } + doc = tidyCreate(); tidyBufInit(&errbuf); @@ -972,11 +977,6 @@ static int php_tidy_output_handler(void **nothing, php_output_context *output_co tidyOptSetBool(doc, TidyForceOutput, yes); tidyOptSetBool(doc, TidyMark, no); - if (ZEND_SIZE_T_UINT_OVFL(output_context->in.used)) { - php_error_docref(NULL, E_WARNING, "Input string is too long"); - return status; - } - TIDY_SET_DEFAULT_CONFIG(doc); tidyBufInit(&inbuf);