Merge branch 'PHP-8.4'

* PHP-8.4: ext/pcntl: Fix memory leak in cleanup code of pcntl_exec()
2026-03-24 00:02:20 +01:00 · 2024-12-15 22:14:25 +00:00
parent 1371f50daa 47b262086a
commit e02c226725
2 changed files with 30 additions and 4 deletions
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -673,7 +673,9 @@ PHP_FUNCTION(pcntl_exec)
 		envs_hash = Z_ARRVAL_P(envs);
 		envc = zend_hash_num_elements(envs_hash);

-		pair = envp = safe_emalloc((envc + 1), sizeof(char *), 0);
+		size_t envp_len = (envc + 1);
+		pair = envp = safe_emalloc(envp_len, sizeof(char *), 0);
+		memset(envp, 0, sizeof(char *) * envp_len);
 		ZEND_HASH_FOREACH_KEY_VAL(envs_hash, key_num, key, element) {
 			if (envi >= envc) break;
 			if (!key) {
@@ -684,9 +686,7 @@ PHP_FUNCTION(pcntl_exec)

 			if (!try_convert_to_string(element)) {
 				zend_string_release(key);
-				efree(argv);
-				efree(envp);
-				RETURN_THROWS();
+				goto cleanup_env_vars;
 			}

 			/* Length of element + equal sign + length of key + null */
@@ -709,6 +709,7 @@ PHP_FUNCTION(pcntl_exec)
 			php_error_docref(NULL, E_WARNING, "Error has occurred: (errno %d) %s", errno, strerror(errno));
 		}

+cleanup_env_vars:
 		/* Cleanup */
 		for (pair = envp; *pair != NULL; pair++) efree(*pair);
 		efree(envp);
--- a/ext/pcntl/tests/pcntl_exec_invalid_strings.phpt
+++ b/ext/pcntl/tests/pcntl_exec_invalid_strings.phpt
@@ -0,0 +1,25 @@
+--TEST--
+pcntl_exec(): Test cleanup after non-stringable array value has been encountered for $args and $env_vars.
+--EXTENSIONS--
+pcntl
+--FILE--
+<?php
+try {
+    pcntl_exec('cmd', ['-n', new stdClass()]);
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+try {
+    pcntl_exec(
+        'cmd',
+        ['-n'],
+        ['var1' => 'value1', 'var2' => new stdClass()],
+    );
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Error: Object of class stdClass could not be converted to string
+Error: Object of class stdClass could not be converted to string