Fix uninitialized memory in parse_ini_string()

Introduced by GH-11014 Fixes oss-fuzz #58080 Closes GH-11092
2026-03-24 00:02:20 +01:00 · 2023-04-17 14:15:22 +02:00
parent 5a4083181b
commit b340e10d6e
2 changed files with 4 additions and 0 deletions
--- a/Zend/zend_ini_parser.y
+++ b/Zend/zend_ini_parser.y
@@ -110,6 +110,7 @@ static void zend_ini_init_string(zval *result)
 	} else {
 		ZVAL_EMPTY_STRING(result);
 	}
+	Z_EXTRA_P(result) = 0;
 }
 /* }}} */

@@ -307,6 +308,7 @@ static void normalize_value(zval *zv)
 		return;
 	}

+	ZEND_ASSERT(Z_EXTRA_P(zv) == 0 || Z_EXTRA_P(zv) == INI_ZVAL_IS_NUMBER);
 	if (Z_EXTRA_P(zv) == INI_ZVAL_IS_NUMBER && Z_TYPE_P(zv) == IS_STRING) {
 		zval number_rv;
 		if (convert_to_number(&number_rv, Z_STRVAL_P(zv), Z_STRLEN_P(zv)) == SUCCESS) {
--- a/Zend/zend_ini_scanner.l
+++ b/Zend/zend_ini_scanner.l
@@ -145,6 +145,7 @@ ZEND_API zend_ini_scanner_globals ini_scanner_globals;
 	if (SCNG(scanner_mode) == ZEND_INI_SCANNER_TYPED &&            \
 		(YYSTATE == STATE(ST_VALUE) || YYSTATE == STATE(ST_RAW))) {\
 		zend_ini_copy_typed_value(ini_lval, type, str, len);       \
+		Z_EXTRA_P(ini_lval) = 0;                                   \
 	} else {                                                       \
 		zend_ini_copy_value(ini_lval, str, len);                   \
 	}                                                              \
@@ -598,6 +599,7 @@ end_raw_value_chars:
 	yyleng = YYCURSOR - SCNG(yy_text);

 	zend_ini_escape_string(ini_lval, yytext, yyleng, '"');
+	Z_EXTRA_P(ini_lval) = 0;
 	return TC_QUOTED_STRING;
 }