php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 08:12:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.3' into PHP-8.4

Browse Source 
* PHP-8.3:
  Fix GH-18082: Memory leaks in fuzzer SAPI error paths
This commit is contained in:
Niels Dossche
2025-03-16 16:38:55 +01:00
parent 45fc03c190 38e553e418
commit a67f351b67
5 changed files with 22 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -36,6 +36,10 @@ PHP NEWS
. Fixed bug GH-17991 (Assertion failure dom_attr_value_write). (nielsdos)
. Fix weird unpack behaviour in DOM. (nielsdos)
- Fuzzer:
. Fixed bug GH-18081 (Memory leaks in error paths of fuzzer SAPI).
(Lung-Alexandra)
- GD:
. Fixed bug GH-17984 (calls with arguments as array with references).
(David Carlier)

11
sapi/fuzzer/fuzzer-json.c
View File

@@ -15,8 +15,6 @@
+----------------------------------------------------------------------+
*/
#include "fuzzer.h"
#include "Zend/zend.h"
@@ -31,14 +29,15 @@
#include "ext/json/php_json_parser.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
char *data = malloc(Size+1);
memcpy(data, Data, Size);
data[Size] = '\0';
if (fuzzer_request_startup() == FAILURE) {
if (fuzzer_request_startup() == FAILURE){
return 0;
}
char *data = malloc(Size + 1);
memcpy(data, Data, Size);
data[Size] = '\0';
for (int option = 0; option <=1; ++option) {
zval result;
php_json_parser parser;

9
sapi/fuzzer/fuzzer-mbregex.c
View File

@@ -30,15 +30,16 @@
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#ifdef HAVE_MBREGEX
char *args[2];
char *data = malloc(Size+1);
memcpy(data, Data, Size);
data[Size] = '\0';
if (fuzzer_request_startup() == FAILURE) {
return 0;
}
char *args[2];
char *data = malloc(Size+1);
memcpy(data, Data, Size);
data[Size] = '\0';
fuzzer_setup_dummy_frame();
args[0] = data;

7
sapi/fuzzer/fuzzer-unserialize.c
View File

@@ -30,14 +30,15 @@
#include "ext/standard/php_var.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
unsigned char *orig_data = malloc(Size+1);
memcpy(orig_data, Data, Size);
orig_data[Size] = '\0';
if (fuzzer_request_startup() == FAILURE) {
return 0;
}
unsigned char *orig_data = malloc(Size+1);
memcpy(orig_data, Data, Size);
orig_data[Size] = '\0';
fuzzer_setup_dummy_frame();
{

8
sapi/fuzzer/fuzzer-unserializehash.c
View File

@@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
}
++Start;
if (fuzzer_request_startup() == FAILURE) {
return 0;
}
size_t Size = (Data + FullSize) - Start;
unsigned char *orig_data = malloc(Size+1);
memcpy(orig_data, Start, Size);
orig_data[Size] = '\0';
if (fuzzer_request_startup() == FAILURE) {
return 0;
}
fuzzer_setup_dummy_frame();
{