Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix GH-16326: Memory management is broken for bad dictionaries #16335

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions ext/zlib/tests/gh16326.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
--TEST--
GH-16326 (Memory management is broken for bad dictionaries)
--EXTENSIONS--
zlib
--FILE--
<?php
try {
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", ""]]);
} catch (ValueError $ex) {
echo $ex->getMessage(), "\n";
}
try {
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => ["hello", "wor\0ld"]]);
} catch (ValueError $ex) {
echo $ex->getMessage(), "\n";
}
try {
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", new stdClass]]);
} catch (Error $ex) {
echo $ex->getMessage(), "\n";
}
?>
--EXPECT--
deflate_init(): Argument #2 ($options) must not contain empty strings
deflate_init(): Argument #2 ($options) must not contain strings with null bytes
Object of class stdClass could not be converted to string
32 changes: 13 additions & 19 deletions ext/zlib/zlib.c
Original file line number Diff line number Diff line change
Expand Up @@ -807,35 +807,29 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
if (zend_hash_num_elements(dictionary) > 0) {
char *dictptr;
zval *cur;
zend_string **strings = emalloc(sizeof(zend_string *) * zend_hash_num_elements(dictionary));
zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(zend_string *), 0);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(zend_string *), 0);
zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(*strings), 0);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I prefer using sizeof with an expression (in which case I also prefer to omit the parentheses), but I think I've seen it most of the time using a type in php-src. Do we have a style guideline about that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a style guideline about that?

I am not aware of anything.

zend_string **end, **ptr = strings - 1;

ZEND_HASH_FOREACH_VAL(dictionary, cur) {
size_t i;

*++ptr = zval_get_string(cur);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future we should use the try API here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't make it better, I'm afraid. Now we have to check for EG(exception) but can be sure that *ptr is not NULL; with zval_try_get_string() we no longer have to check for EG(exception), but need to check that *ptr is not NULL before releasing it. Basically, what we did.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, but it is easier to miss checking for EG(exception) and use some sort of default zend_string then not having one in the first place IMHO.

if (!*ptr || ZSTR_LEN(*ptr) == 0 || EG(exception)) {
if (*ptr) {
efree(*ptr);
}
while (--ptr >= strings) {
efree(ptr);
}
ZEND_ASSERT(*ptr);
if (ZSTR_LEN(*ptr) == 0 || EG(exception)) {
do {
zend_string_release(*ptr);
} while (--ptr >= strings);
efree(strings);
if (!EG(exception)) {
zend_argument_value_error(2, "must not contain empty strings");
}
return 0;
}
for (i = 0; i < ZSTR_LEN(*ptr); i++) {
if (ZSTR_VAL(*ptr)[i] == 0) {
do {
efree(ptr);
} while (--ptr >= strings);
efree(strings);
zend_argument_value_error(2, "must not contain strings with null bytes");
return 0;
}
if (zend_str_has_nul_byte(*ptr)) {
do {
zend_string_release(*ptr);
} while (--ptr >= strings);
efree(strings);
zend_argument_value_error(2, "must not contain strings with null bytes");
return 0;
}

*dictlen += ZSTR_LEN(*ptr) + 1;
Expand Down
Loading