Merge branch 'PHP-8.5'

* PHP-8.5:
  Fix memory leak in shm_get_var() when variable is corrupted

ext/sysvshm/sysvshm.c

@@ -311,11 +311,13 @@ PHP_FUNCTION(shm_get_var)
 	shm_data = &shm_var->mem;
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
-	if (php_var_unserialize(return_value, (const unsigned char **) &shm_data, (unsigned char *) shm_data + shm_var->length, &var_hash) != 1) {
-		php_error_docref(NULL, E_WARNING, "Variable data in shared memory is corrupted");
-		RETVAL_FALSE;
-	}
+	int res = php_var_unserialize(return_value, (const unsigned char **) &shm_data, (unsigned char *) shm_data + shm_var->length, &var_hash);
 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+	if (res != 1) {
+		php_error_docref(NULL, E_WARNING, "Variable data in shared memory is corrupted");
+		zval_ptr_dtor(return_value);
+		RETURN_FALSE;
+	}
 }
 /* }}} */
 

ext/sysvshm/tests/shm_get_var_leak.phpt

@@ -0,0 +1,37 @@
+--TEST--
+shm_get_var() leaks if variable is corrupted
+--EXTENSIONS--
+sysvshm
+ffi
+--INI--
+ffi.enable=1
+--SKIPIF--
+<?php
+if (!function_exists('ftok')) die('skip needs ftok');
+if (PHP_INT_SIZE !== 8) die('skip only for 64-bit');
+if (PHP_OS_FAMILY !== 'Linux') die('skip only for decent operating systems');
+?>
+--FILE--
+<?php
+
+$key = ftok(__FILE__, 't');
+$s = shm_attach($key, 128);
+
+shm_put_var($s, 0, [1, 2]);
+
+$ffi = FFI::cdef(<<<CODE
+int shmget(int, size_t, int);
+char *shmat(int, const void *, int);
+CODE);
+$ptr = $ffi->shmat($ffi->shmget($key, 0, 0), $ffi->new('void *'), 0);
+
+$ptr[0x40 + 13] = 0; // Corrupt first byte of second element of serialized data
+
+var_dump(shm_get_var($s, 0));
+
+shm_remove($s);
+
+?>
+--EXPECTF--
+Warning: shm_get_var(): Variable data in shared memory is corrupted in %s on line %d
+bool(false)