Fixed incorrrecr zval_dtor() usage to replace value of argument passed by reference, that may lead to memory leaks.

2025-08-15 21:48:51 +02:00 · 2018-07-05 10:57:49 +03:00 · 2018-07-05 10:57:49 +03:00 · 265c3ed6cf
commit 265c3ed6cf
parent 587ab00698
14 changed files with 68 additions and 56 deletions
--- a/Zend/tests/gc_039.phpt
+++ b/Zend/tests/gc_039.phpt
@ -0,0 +1,15 @@
+--TEST--
+GC 039: Garbage created by replacing argument send by reference
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--INI--
+zend.enable_gc = 1
+--FILE--
+<?php
+$out = new stdClass;
+$out->x = $out;
+mb_parse_str("a=b", $out);
+var_dump(gc_collect_cycles());
+?>
+--EXPECT--
+int(1)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@ -4647,13 +4647,13 @@ PHP_FUNCTION(exif_thumbnail)
 		if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
 			exif_scan_thumbnail(&ImageInfo);
 		}
-		zval_dtor(z_width);
-		zval_dtor(z_height);
+		zval_ptr_dtor(z_width);
+		zval_ptr_dtor(z_height);
 		ZVAL_LONG(z_width,  ImageInfo.Thumbnail.width);
 		ZVAL_LONG(z_height, ImageInfo.Thumbnail.height);
 	}
 	if (arg_c >= 4)	{
-		zval_dtor(z_imagetype);
+		zval_ptr_dtor(z_imagetype);
 		ZVAL_LONG(z_imagetype, ImageInfo.Thumbnail.filetype);
 	}

--- a/ext/ftp/php_ftp.c
+++ b/ext/ftp/php_ftp.c
@ -689,7 +689,7 @@ PHP_FUNCTION(ftp_alloc)

 	ret = ftp_alloc(ftp, size, zresponse ? &response : NULL);
 	if (response) {
-		zval_dtor(zresponse);
+		zval_ptr_dtor(zresponse);
 		ZVAL_STR(zresponse, response);
 	}

--- a/ext/intl/formatter/formatter_parse.c
+++ b/ext/intl/formatter/formatter_parse.c
@ -106,7 +106,7 @@ PHP_FUNCTION( numfmt_parse )
 	efree(oldlocale);
 #endif
 	if(zposition) {
-		zval_dtor(zposition);
+		zval_ptr_dtor(zposition);
 		ZVAL_LONG(zposition, position);
 	}

@ -162,7 +162,7 @@ PHP_FUNCTION( numfmt_parse_currency )

 	number = unum_parseDoubleCurrency(FORMATTER_OBJECT(nfo), sstr, sstr_len, position_p, currency, &INTL_DATA_ERROR_CODE(nfo));
 	if(zposition) {
-		zval_dtor(zposition);
+		zval_ptr_dtor(zposition);
 		ZVAL_LONG(zposition, position);
 	}
 	if (sstr) {
@ -173,7 +173,7 @@ PHP_FUNCTION( numfmt_parse_currency )
 	/* Convert parsed currency to UTF-8 and pass it back to caller. */
 	u8str = intl_convert_utf16_to_utf8(currency, u_strlen(currency), &INTL_DATA_ERROR_CODE(nfo));
 	INTL_METHOD_CHECK_STATUS( nfo, "Currency conversion to UTF-8 failed" );
-	zval_dtor( zcurrency );
+	zval_ptr_dtor( zcurrency );
 	ZVAL_NEW_STR(zcurrency, u8str);

 	RETVAL_DOUBLE( number );
--- a/ext/intl/idn/idn.c
+++ b/ext/intl/idn/idn.c
@ -319,7 +319,7 @@ static void php_intl_idn_handoff(INTERNAL_FUNCTION_PARAMETERS, int mode)
 				"4 arguments were provided, but INTL_IDNA_VARIANT_2003 only "
 				"takes 3 - extra argument ignored");
 		} else {
-			zval_dtor(idna_info);
+			zval_ptr_dtor(idna_info);
 			array_init(idna_info);
 		}
 	}
--- a/ext/intl/timezone/timezone_methods.cpp
+++ b/ext/intl/timezone/timezone_methods.cpp
@ -314,7 +314,7 @@ U_CFUNC PHP_FUNCTION(intltz_get_canonical_id)

 	if (is_systemid) { /* by-ref argument passed */
 		ZVAL_DEREF(is_systemid);
-		zval_dtor(is_systemid);
+		zval_ptr_dtor(is_systemid);
 		ZVAL_BOOL(is_systemid, isSystemID);
 	}
 }
@ -465,11 +465,9 @@ U_CFUNC PHP_FUNCTION(intltz_get_offset)

 	INTL_METHOD_CHECK_STATUS(to, "intltz_get_offset: error obtaining offset");

-	ZVAL_DEREF(rawOffsetArg);
-	zval_dtor(rawOffsetArg);
+	zval_ptr_dtor(rawOffsetArg);
 	ZVAL_LONG(rawOffsetArg, rawOffset);
-	ZVAL_DEREF(dstOffsetArg);
-	zval_dtor(dstOffsetArg);
+	zval_ptr_dtor(dstOffsetArg);
 	ZVAL_LONG(dstOffsetArg, dstOffset);

 	RETURN_TRUE;
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@ -3066,7 +3066,7 @@ PHP_FUNCTION(ldap_get_option)
 			if (!timeout) {
 				RETURN_FALSE;
 			}
-			zval_dtor(retval);
+			zval_ptr_dtor(retval);
 			ZVAL_LONG(retval, timeout->tv_sec);
 			ldap_memfree(timeout);
 		} break;
@ -3435,7 +3435,7 @@ PHP_FUNCTION(ldap_parse_exop)
 	/* Reverse -> fall through */
 	switch (myargcount) {
 		case 4:
-			zval_dtor(retoid);
+			zval_ptr_dtor(retoid);
 			if (lretoid == NULL) {
 				ZVAL_EMPTY_STRING(retoid);
 			} else {
@ -3444,7 +3444,7 @@ PHP_FUNCTION(ldap_parse_exop)
 			}
 		case 3:
 			/* use arg #3 as the data returned by the server */
-			zval_dtor(retdata);
+			zval_ptr_dtor(retdata);
 			if (lretdata == NULL) {
 				ZVAL_EMPTY_STRING(retdata);
 			} else {
@ -4084,7 +4084,7 @@ PHP_FUNCTION(ldap_control_paged_result_response)

 	ldap_controls_free(lserverctrls);
 	if (myargcount == 4) {
-		zval_dtor(estimated);
+		zval_ptr_dtor(estimated);
 		ZVAL_LONG(estimated, lestimated);
 	}

@ -4155,7 +4155,7 @@ PHP_FUNCTION(ldap_exop)
 		}

 		if (retoid) {
-			zval_dtor(retoid);
+			zval_ptr_dtor(retoid);
 			if (lretoid) {
 				ZVAL_STRING(retoid, lretoid);
 				ldap_memfree(lretoid);
@ -4164,7 +4164,7 @@ PHP_FUNCTION(ldap_exop)
 			}
 		}

-		zval_dtor(retdata);
+		zval_ptr_dtor(retdata);
 		if (lretdata) {
 			ZVAL_STRINGL(retdata, lretdata->bv_val, lretdata->bv_len);
 			ldap_memfree(lretdata->bv_val);
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@ -2139,7 +2139,7 @@ PHP_FUNCTION(mb_parse_str)

 	if (track_vars_array != NULL) {
 		/* Clear out the array */
-		zval_dtor(track_vars_array);
+		zval_ptr_dtor(track_vars_array);
 		array_init(track_vars_array);
 	}

--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@ -701,7 +701,7 @@ static void _php_mb_regex_ereg_exec(INTERNAL_FUNCTION_PARAMETERS, int icase)
 	}

 	if (array != NULL) {
-		zval_dtor(array);
+		zval_ptr_dtor(array);
 		array_init(array);
 	}

--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@ -2118,7 +2118,7 @@ PHP_FUNCTION(openssl_x509_export)
 	if (PEM_write_bio_X509(bio_out, cert)) {
 		BUF_MEM *bio_buf;

-		zval_dtor(zout);
+		zval_ptr_dtor(zout);
 		BIO_get_mem_ptr(bio_out, &bio_buf);
 		ZVAL_STRINGL(zout, bio_buf->data, bio_buf->length);

@ -2920,7 +2920,7 @@ PHP_FUNCTION(openssl_pkcs12_export)
 		if (i2d_PKCS12_bio(bio_out, p12)) {
 			BUF_MEM *bio_buf;

-			zval_dtor(zout);
+			zval_ptr_dtor(zout);
 			BIO_get_mem_ptr(bio_out, &bio_buf);
 			ZVAL_STRINGL(zout, bio_buf->data, bio_buf->length);

@ -2979,7 +2979,7 @@ PHP_FUNCTION(openssl_pkcs12_read)
 		BIO * bio_out;
 		int cert_num;

-		zval_dtor(zout);
+		zval_ptr_dtor(zout);
 		array_init(zout);

 		if (cert) {
@ -3358,7 +3358,7 @@ PHP_FUNCTION(openssl_csr_export)
 		BUF_MEM *bio_buf;

 		BIO_get_mem_ptr(bio_out, &bio_buf);
-		zval_dtor(zout);
+		zval_ptr_dtor(zout);
 		ZVAL_STRINGL(zout, bio_buf->data, bio_buf->length);

 		RETVAL_TRUE;
@ -3576,7 +3576,7 @@ PHP_FUNCTION(openssl_csr_new)

 						if (we_made_the_key) {
 							/* and a resource for the private key */
-							zval_dtor(out_pkey);
+							zval_ptr_dtor(out_pkey);
 							ZVAL_RES(out_pkey, zend_register_resource(req.priv_key, le_key));
 							req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */
 						} else if (key_resource != NULL) {
@ -4640,7 +4640,7 @@ PHP_FUNCTION(openssl_pkey_export)
 			RETVAL_TRUE;

 			bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr);
-			zval_dtor(out);
+			zval_ptr_dtor(out);
 			ZVAL_STRINGL(out, bio_mem_ptr, bio_mem_len);
 		} else {
 			php_openssl_store_errors();
@ -5386,7 +5386,7 @@ PHP_FUNCTION(openssl_pkcs7_read)
 			break;
 	}

-	zval_dtor(zout);
+	zval_ptr_dtor(zout);
 	array_init(zout);

 	if (certs != NULL) {
@ -5672,7 +5672,7 @@ PHP_FUNCTION(openssl_private_encrypt)
 	}

 	if (successful) {
-		zval_dtor(crypted);
+		zval_ptr_dtor(crypted);
 		ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
 		ZVAL_NEW_STR(crypted, cryptedbuf);
 		cryptedbuf = NULL;
@ -5741,7 +5741,7 @@ PHP_FUNCTION(openssl_private_decrypt)
 	efree(crypttemp);

 	if (successful) {
-		zval_dtor(crypted);
+		zval_ptr_dtor(crypted);
 		ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
 		ZVAL_NEW_STR(crypted, cryptedbuf);
 		cryptedbuf = NULL;
@ -5803,7 +5803,7 @@ PHP_FUNCTION(openssl_public_encrypt)
 	}

 	if (successful) {
-		zval_dtor(crypted);
+		zval_ptr_dtor(crypted);
 		ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
 		ZVAL_NEW_STR(crypted, cryptedbuf);
 		cryptedbuf = NULL;
@ -5874,7 +5874,7 @@ PHP_FUNCTION(openssl_public_decrypt)
 	efree(crypttemp);

 	if (successful) {
-		zval_dtor(crypted);
+		zval_ptr_dtor(crypted);
 		ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
 		ZVAL_NEW_STR(crypted, cryptedbuf);
 		cryptedbuf = NULL;
@ -5970,7 +5970,7 @@ PHP_FUNCTION(openssl_sign)
 			EVP_SignInit(md_ctx, mdtype) &&
 			EVP_SignUpdate(md_ctx, data, data_len) &&
 			EVP_SignFinal(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), &siglen, pkey)) {
-		zval_dtor(signature);
+		zval_ptr_dtor(signature);
 		ZSTR_VAL(sigbuf)[siglen] = '\0';
 		ZSTR_LEN(sigbuf) = siglen;
 		ZVAL_NEW_STR(signature, sigbuf);
@ -6139,11 +6139,11 @@ PHP_FUNCTION(openssl_seal)
 	}

 	if (len1 + len2 > 0) {
-		zval_dtor(sealdata);
+		zval_ptr_dtor(sealdata);
 		ZVAL_NEW_STR(sealdata, zend_string_init((char*)buf, len1 + len2, 0));
 		efree(buf);

-		zval_dtor(ekeys);
+		zval_ptr_dtor(ekeys);
 		array_init(ekeys);
 		for (i=0; i<nkeys; i++) {
 			eks[i][eksl[i]] = '\0';
@ -6153,7 +6153,7 @@ PHP_FUNCTION(openssl_seal)
 		}

 		if (iv) {
-			zval_dtor(iv);
+			zval_ptr_dtor(iv);
 			iv_buf[iv_len] = '\0';
 			ZVAL_NEW_STR(iv, zend_string_init((char*)iv_buf, iv_len, 0));
 		}
@ -6243,7 +6243,7 @@ PHP_FUNCTION(openssl_open)
 	if (ctx != NULL && EVP_OpenInit(ctx, cipher, (unsigned char *)ekey, (int)ekey_len, iv_buf, pkey) &&
 			EVP_OpenUpdate(ctx, buf, &len1, (unsigned char *)data, (int)data_len) &&
 			EVP_OpenFinal(ctx, buf + len1, &len2) && (len1 + len2 > 0)) {
-		zval_dtor(opendata);
+		zval_ptr_dtor(opendata);
 		buf[len1 + len2] = '\0';
 		ZVAL_NEW_STR(opendata, zend_string_init((char*)buf, len1 + len2, 0));
 		RETVAL_TRUE;
@ -6644,7 +6644,7 @@ PHP_FUNCTION(openssl_encrypt)
 			zend_string *tag_str = zend_string_alloc(tag_len, 0);

 			if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode.aead_get_tag_flag, tag_len, ZSTR_VAL(tag_str)) == 1) {
-				zval_dtor(tag);
+				zval_ptr_dtor(tag);
 				ZSTR_VAL(tag_str)[tag_len] = '\0';
 				ZSTR_LEN(tag_str) = tag_len;
 				ZVAL_NEW_STR(tag, tag_str);
@ -6655,7 +6655,7 @@ PHP_FUNCTION(openssl_encrypt)
 				RETVAL_FALSE;
 			}
 		} else if (tag) {
-			zval_dtor(tag);
+			zval_ptr_dtor(tag);
 			ZVAL_NULL(tag);
 			php_error_docref(NULL, E_WARNING,
 					"The authenticated tag cannot be provided for cipher that doesn not support AEAD");
@ -6808,7 +6808,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
 	}

 	if (zstrong_result_returned) {
-		zval_dtor(zstrong_result_returned);
+		zval_ptr_dtor(zstrong_result_returned);
 		ZVAL_FALSE(zstrong_result_returned);
 	}

--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@ -674,7 +674,7 @@ PHP_FUNCTION(pcntl_waitpid)
 #ifdef HAVE_WAIT4
 	if (z_rusage) {
 		if (Z_TYPE_P(z_rusage) != IS_ARRAY) {
-			zval_dtor(z_rusage);
+			zval_ptr_dtor(z_rusage);
 			array_init(z_rusage);
 		} else {
 			zend_hash_clean(Z_ARRVAL_P(z_rusage));
@ -699,7 +699,7 @@ PHP_FUNCTION(pcntl_waitpid)
 	}
 #endif

-	zval_dtor(z_status);
+	zval_ptr_dtor(z_status);
 	ZVAL_LONG(z_status, status);

 	RETURN_LONG((zend_long) child_id);
@ -726,7 +726,7 @@ PHP_FUNCTION(pcntl_wait)
 #ifdef HAVE_WAIT3
 	if (z_rusage) {
 		if (Z_TYPE_P(z_rusage) != IS_ARRAY) {
-			zval_dtor(z_rusage);
+			zval_ptr_dtor(z_rusage);
 			array_init(z_rusage);
 		} else {
 			zend_hash_clean(Z_ARRVAL_P(z_rusage));
@ -752,7 +752,7 @@ PHP_FUNCTION(pcntl_wait)
 	}
 #endif

-	zval_dtor(z_status);
+	zval_ptr_dtor(z_status);
 	ZVAL_LONG(z_status, status);

 	RETURN_LONG((zend_long) child_id);
@ -1134,7 +1134,7 @@ PHP_FUNCTION(pcntl_sigprocmask)

 	if (user_oldset != NULL) {
 		if (Z_TYPE_P(user_oldset) != IS_ARRAY) {
-			zval_dtor(user_oldset);
+			zval_ptr_dtor(user_oldset);
 			array_init(user_oldset);
 		} else {
 			zend_hash_clean(Z_ARRVAL_P(user_oldset));
@ -1233,7 +1233,7 @@ static void pcntl_siginfo_to_zval(int signo, siginfo_t *siginfo, zval *user_sigi
 {
 	if (signo > 0 && user_siginfo) {
 		if (Z_TYPE_P(user_siginfo) != IS_ARRAY) {
-			zval_dtor(user_siginfo);
+			zval_ptr_dtor(user_siginfo);
 			array_init(user_siginfo);
 		} else {
 			zend_hash_clean(Z_ARRVAL_P(user_siginfo));
--- a/ext/standard/dns_win32.c
+++ b/ext/standard/dns_win32.c
@ -60,11 +60,11 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */
 		RETURN_FALSE;
 	}

-	zval_dtor(mx_list);
+	zval_ptr_dtor(mx_list);
 	array_init(mx_list);

 	if (weight_list) {
-		zval_dtor(weight_list);
+		zval_ptr_dtor(weight_list);
 		array_init(weight_list);
 	}

@ -358,11 +358,11 @@ PHP_FUNCTION(dns_get_record)
 	}

 	if (authns) {
-		zval_dtor(authns);
+		zval_ptr_dtor(authns);
 		array_init(authns);
 	}
 	if (addtl) {
-		zval_dtor(addtl);
+		zval_ptr_dtor(addtl);
 		array_init(addtl);
 	}

--- a/ext/sysvmsg/sysvmsg.c
+++ b/ext/sysvmsg/sysvmsg.c
@ -343,14 +343,13 @@ PHP_FUNCTION(msg_receive)

 	result = msgrcv(mq->id, messagebuffer, maxsize, desiredmsgtype, realflags);

-	zval_dtor(out_msgtype);
-	zval_dtor(out_message);
+	zval_ptr_dtor(out_msgtype);
+	zval_ptr_dtor(out_message);
 	ZVAL_LONG(out_msgtype, 0);
 	ZVAL_FALSE(out_message);

 	if (zerrcode) {
-		ZVAL_DEREF(zerrcode);
-		zval_dtor(zerrcode);
+		zval_ptr_dtor(zerrcode);
 		ZVAL_LONG(zerrcode, 0);
 	}

--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@ -2260,9 +2260,9 @@ static ZIPARCHIVE_METHOD(getExternalAttributesIndex)
 			(zip_flags_t)flags, &opsys, &attr) < 0) {
 		RETURN_FALSE;
 	}
-	zval_dtor(z_opsys);
+	zval_ptr_dtor(z_opsys);
 	ZVAL_LONG(z_opsys, opsys);
-	zval_dtor(z_attr);
+	zval_ptr_dtor(z_attr);
 	ZVAL_LONG(z_attr, attr);
 	RETURN_TRUE;
 }