Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts (#13892)

The hash tables used are allocated via the persistent allocator. When using ini_set, the allocation happens via the non-persistent allocator. When the table is then freed in GSHUTDOWN, we get a crash because the allocators are mismatched. As a side note, it is strange that this is designed this way, because it means that ini_sets persist between requests... Co-authored-by: Kamil Tekiela <tekiela246@gmail.com>
2025-08-15 21:48:51 +02:00 · 2024-04-06 13:43:26 +02:00 · 2024-04-06 13:43:26 +02:00 · 5ce9687cb2
commit 5ce9687cb2
parent 97162e92be
2 changed files with 20 additions and 2 deletions
--- a/ext/session/tests/gh13891.phpt
+++ b/ext/session/tests/gh13891.phpt
@ -0,0 +1,17 @@
+--TEST--
+GH-13891 (memleak and segfault when using ini_set with session.trans_sid_hosts)
+--INI--
+session.use_cookies=0
+session.use_only_cookies=0
+session.use_trans_sid=1
+session.trans_sid_hosts=php.net
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+// We *must* set it here because the bug only triggers on a runtime edit
+ini_set('session.trans_sid_hosts','php.net');
+?>
+--EXPECT--
--- a/ext/standard/url_scanner_ex.re
+++ b/ext/standard/url_scanner_ex.re
@ -138,9 +138,10 @@ static int php_ini_on_update_hosts(zend_ini_entry *entry, zend_string *new_value
 		}
 		keylen = q - key;
 		if (keylen > 0) {
-			tmp_key = zend_string_init(key, keylen, 0);
+			/* Note: the hash table is persistently allocated, so the strings must be too! */
+			tmp_key = zend_string_init(key, keylen, true);
 			zend_hash_add_empty_element(hosts, tmp_key);
-			zend_string_release_ex(tmp_key, 0);
+			zend_string_release_ex(tmp_key, true);
 		}
 	}
 	efree(tmp);