-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix GH-16326: Memory management is broken for bad dictionaries #16335
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
--TEST-- | ||
GH-16326 (Memory management is broken for bad dictionaries) | ||
--EXTENSIONS-- | ||
zlib | ||
--FILE-- | ||
<?php | ||
try { | ||
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", ""]]); | ||
} catch (ValueError $ex) { | ||
echo $ex->getMessage(), "\n"; | ||
} | ||
try { | ||
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => ["hello", "wor\0ld"]]); | ||
} catch (ValueError $ex) { | ||
echo $ex->getMessage(), "\n"; | ||
} | ||
try { | ||
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", new stdClass]]); | ||
} catch (Error $ex) { | ||
echo $ex->getMessage(), "\n"; | ||
} | ||
?> | ||
--EXPECT-- | ||
deflate_init(): Argument #2 ($options) must not contain empty strings | ||
deflate_init(): Argument #2 ($options) must not contain strings with null bytes | ||
Object of class stdClass could not be converted to string |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -807,35 +807,29 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_ | |
if (zend_hash_num_elements(dictionary) > 0) { | ||
char *dictptr; | ||
zval *cur; | ||
zend_string **strings = emalloc(sizeof(zend_string *) * zend_hash_num_elements(dictionary)); | ||
zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(zend_string *), 0); | ||
zend_string **end, **ptr = strings - 1; | ||
|
||
ZEND_HASH_FOREACH_VAL(dictionary, cur) { | ||
size_t i; | ||
|
||
*++ptr = zval_get_string(cur); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In the future we should use the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Doesn't make it better, I'm afraid. Now we have to check for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, but it is easier to miss checking for |
||
if (!*ptr || ZSTR_LEN(*ptr) == 0 || EG(exception)) { | ||
if (*ptr) { | ||
efree(*ptr); | ||
} | ||
while (--ptr >= strings) { | ||
efree(ptr); | ||
} | ||
ZEND_ASSERT(*ptr); | ||
if (ZSTR_LEN(*ptr) == 0 || EG(exception)) { | ||
do { | ||
zend_string_release(*ptr); | ||
} while (--ptr >= strings); | ||
efree(strings); | ||
if (!EG(exception)) { | ||
zend_argument_value_error(2, "must not contain empty strings"); | ||
} | ||
return 0; | ||
} | ||
for (i = 0; i < ZSTR_LEN(*ptr); i++) { | ||
if (ZSTR_VAL(*ptr)[i] == 0) { | ||
do { | ||
efree(ptr); | ||
} while (--ptr >= strings); | ||
efree(strings); | ||
zend_argument_value_error(2, "must not contain strings with null bytes"); | ||
return 0; | ||
} | ||
if (zend_str_has_nul_byte(*ptr)) { | ||
do { | ||
zend_string_release(*ptr); | ||
} while (--ptr >= strings); | ||
efree(strings); | ||
zend_argument_value_error(2, "must not contain strings with null bytes"); | ||
return 0; | ||
} | ||
|
||
*dictlen += ZSTR_LEN(*ptr) + 1; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I prefer using
sizeof
with an expression (in which case I also prefer to omit the parentheses), but I think I've seen it most of the time using a type in php-src. Do we have a style guideline about that?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not aware of anything.