php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix memory leak when encoding check fails

Browse Source 
zlib_create_dictionary_string() allocates memory, so we can leak memory
if there's an early exit before the assignment to the return value.
Solve this by moving all validation upwards.

Closes GH-17788.
This commit is contained in:
ndossche
2025-02-13 16:53:43 +01:00
committed by Niels Dossche
parent 4b5c29ef50
commit a54af45a41
3 changed files with 29 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@@ -41,6 +41,7 @@ PHP NEWS
- Zlib:
. Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
(nielsdos)
. Fix memory leak when encoding check fails. (nielsdos)
13 Feb 2025, PHP 8.3.17

20
ext/zlib/tests/leak_invalid_encoding_with_dict.phpt Normal file
View File

@@ -0,0 +1,20 @@
--TEST--
Memory leak when passing a dictionary with invalid encoding
--EXTENSIONS--
zlib
--FILE--
<?php
try {
inflate_init(123456, ["dictionary" => "dict"]);
} catch (ValueError $e) {
echo $e->getMessage(), "\n";
}
try {
deflate_init(123456, ["dictionary" => "dict"]);
} catch (ValueError $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
Encoding mode must be ZLIB_ENCODING_RAW, ZLIB_ENCODING_GZIP or ZLIB_ENCODING_DEFLATE
deflate_init(): Argument #1 ($encoding) must be one of ZLIB_ENCODING_RAW, ZLIB_ENCODING_GZIP, or ZLIB_ENCODING_DEFLATE

16
ext/zlib/zlib.c
View File

@@ -879,10 +879,6 @@ PHP_FUNCTION(inflate_init)
RETURN_THROWS();
}
if (!zlib_create_dictionary_string(options, &dict, &dictlen)) {
RETURN_THROWS();
}
switch (encoding) {
case PHP_ZLIB_ENCODING_RAW:
case PHP_ZLIB_ENCODING_GZIP:
@@ -893,6 +889,10 @@ PHP_FUNCTION(inflate_init)
RETURN_THROWS();
}
if (!zlib_create_dictionary_string(options, &dict, &dictlen)) {
RETURN_THROWS();
}
object_init_ex(return_value, inflate_context_ce);
ctx = Z_INFLATE_CONTEXT_P(return_value);
@@ -1132,10 +1132,6 @@ PHP_FUNCTION(deflate_init)
RETURN_THROWS();
}
if (!zlib_create_dictionary_string(options, &dict, &dictlen)) {
RETURN_THROWS();
}
switch (encoding) {
case PHP_ZLIB_ENCODING_RAW:
case PHP_ZLIB_ENCODING_GZIP:
@@ -1146,6 +1142,10 @@ PHP_FUNCTION(deflate_init)
RETURN_THROWS();
}
if (!zlib_create_dictionary_string(options, &dict, &dictlen)) {
RETURN_THROWS();
}
object_init_ex(return_value, deflate_context_ce);
ctx = Z_DEFLATE_CONTEXT_P(return_value);