Fix memory leak on Randomizer::__construct() call twice (#9091)

When Radomizer::__construct() was called with no arguments, Randomizer\Engine\Secure was implicitly instantiate and memory was leaking. Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
2025-08-15 21:48:51 +02:00 · 2022-07-24 03:09:14 +09:00 · 2022-07-24 03:09:14 +09:00 · 34b352d121
commit 34b352d121
parent 3c372901bd
3 changed files with 47 additions and 0 deletions
--- a/2
+++ b/2
@ -24,6 +24,8 @@ PHP                                                                        NEWS
  . Fixed bug GH-9083 (undefined behavior during shifting). (timwolla)
  . Fixed bug GH-9088, GH-9056 (incorrect expansion of bytes when
    generating uniform integers within a given range). (timwolla)
+  . Fixed bug GH-9089 (Fix memory leak on Randomizer::__construct()
+    call twice) (zeriyoshi)

 21 Jul 2022, PHP 8.2.0beta1

--- a/ext/random/randomizer.c
+++ b/ext/random/randomizer.c
@ -70,6 +70,11 @@ PHP_METHOD(Random_Randomizer, __construct)
 		Z_PARAM_OBJ_OF_CLASS_OR_NULL(engine_object, random_ce_Random_Engine);
 	ZEND_PARSE_PARAMETERS_END();

+	if (randomizer->algo) {
+		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot call constructor twice");
+		RETURN_THROWS();
+	}
+
 	/* Create default RNG instance */
 	if (!engine_object) {
 		engine_object = random_ce_Random_Engine_Secure->create_object(random_ce_Random_Engine_Secure);
--- a/ext/random/tests/03_randomizer/construct_twice.phpt
+++ b/ext/random/tests/03_randomizer/construct_twice.phpt
@ -0,0 +1,40 @@
+--TEST--
+Random: Randomizer: Disallow manually calling __construct
+--FILE--
+<?php
+
+final class UserEngine implements \Random\Engine
+{
+    public function generate(): string
+    {
+        return \random_byte(4); /* 32-bit */
+    }
+}
+
+try {
+    (new \Random\Randomizer())->__construct();
+} catch (\BadMethodCallException $e) {
+    echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+    $r = new \Random\Randomizer(new \Random\Engine\Xoshiro256StarStar());
+    $r->__construct(new \Random\Engine\PcgOneseq128XslRr64());
+} catch (\BadMethodCallException $e) {
+    echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+    $r = new \Random\Randomizer(new \UserEngine());
+    $r->__construct(new \UserEngine());
+} catch (\BadMethodCallException $e) {
+    echo $e->getMessage() . PHP_EOL;
+}
+
+die('success');
+?>
+--EXPECT--
+Cannot call constructor twice
+Cannot call constructor twice
+Cannot call constructor twice
+success