From 64d511ef29e43539ccd8b3688c7976f52dfea3d8 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 24 May 2025 17:02:49 +0200 Subject: [PATCH 1/2] Fix GH-18641: Accessing a BcMath\Number property by ref crashes The properties are virtual so we need a custom get_property_ptr_ptr handler. Closes GH-18637. --- NEWS | 4 ++++ ext/bcmath/bcmath.c | 7 +++++++ ext/bcmath/tests/number/gh18641.phpt | 13 +++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 ext/bcmath/tests/number/gh18641.phpt diff --git a/NEWS b/NEWS index 624f51a6fba..ca7c8bdb40a 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.4.9 +- BcMath: + . Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes). + (nielsdos) + - Intl: . Fix memory leak in intl_datetime_decompose() on failure. (nielsdos) diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c index 233045bd7cd..3628b95a78e 100644 --- a/ext/bcmath/bcmath.c +++ b/ext/bcmath/bcmath.c @@ -971,6 +971,12 @@ static zval *bcmath_number_read_property(zend_object *obj, zend_string *name, in return zend_std_read_property(obj, name, type, cache_slot, rv); } +static zval *bcmath_number_get_property_ptr_ptr(zend_object *object, zend_string *member, int type, void **cache_slot) +{ + /* Must always go through read property because all properties are virtual, and no dynamic properties are allowed. */ + return NULL; +} + static int bcmath_number_has_property(zend_object *obj, zend_string *name, int check_empty, void **cache_slot) { if (check_empty == ZEND_PROPERTY_NOT_EMPTY) { @@ -1014,6 +1020,7 @@ static void bcmath_number_register_class(void) bcmath_number_obj_handlers.unset_property = bcmath_number_unset_property; bcmath_number_obj_handlers.has_property = bcmath_number_has_property; bcmath_number_obj_handlers.read_property = bcmath_number_read_property; + bcmath_number_obj_handlers.get_property_ptr_ptr = bcmath_number_get_property_ptr_ptr; bcmath_number_obj_handlers.get_properties_for = bcmath_number_get_properties_for; bcmath_number_obj_handlers.cast_object = bcmath_number_cast_object; } diff --git a/ext/bcmath/tests/number/gh18641.phpt b/ext/bcmath/tests/number/gh18641.phpt new file mode 100644 index 00000000000..ed8f55e9145 --- /dev/null +++ b/ext/bcmath/tests/number/gh18641.phpt @@ -0,0 +1,13 @@ +--TEST-- +GH-18641 (Accessing a BcMath\Number property by ref crashes) +--EXTENSIONS-- +bcmath +--FILE-- +value; +var_dump($x); +?> +--EXPECT-- +string(1) "1" From c9781111e1d22b45ebdee294aa679240b6fd41de Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 24 May 2025 16:17:43 +0200 Subject: [PATCH 2/2] Fix memory leak when calloc() fails in php_readline_completion_cb() Closes GH-18637. --- NEWS | 4 ++++ ext/readline/readline.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index a8d6d6ee6fe..fc7e534d604 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,10 @@ PHP NEWS - Phar: . Add missing filter cleanups on phar failure. (nielsdos) +- Readline: + . Fix memory leak when calloc() fails in php_readline_completion_cb(). + (nielsdos) + 05 Jun 2025, PHP 8.3.22 - Core: diff --git a/ext/readline/readline.c b/ext/readline/readline.c index 1bd5e2fd605..4da9f359515 100644 --- a/ext/readline/readline.c +++ b/ext/readline/readline.c @@ -458,13 +458,14 @@ char **php_readline_completion_cb(const char *text, int start, int end) /* libedit will read matches[2] */ matches = calloc(3, sizeof(char *)); if (!matches) { - return NULL; + goto out; } matches[0] = strdup(""); } } } +out: zval_ptr_dtor(¶ms[0]); zval_ptr_dtor(&_readline_array);