From 5ce9687cb2bc49e5d95b1c9bda5dc7f711c3da62 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 6 Apr 2024 13:43:26 +0200 Subject: [PATCH] Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts (#13892) The hash tables used are allocated via the persistent allocator. When using ini_set, the allocation happens via the non-persistent allocator. When the table is then freed in GSHUTDOWN, we get a crash because the allocators are mismatched. As a side note, it is strange that this is designed this way, because it means that ini_sets persist between requests... Co-authored-by: Kamil Tekiela --- ext/session/tests/gh13891.phpt | 17 +++++++++++++++++ ext/standard/url_scanner_ex.re | 5 +++-- 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ext/session/tests/gh13891.phpt diff --git a/ext/session/tests/gh13891.phpt b/ext/session/tests/gh13891.phpt new file mode 100644 index 00000000000..7df9bffa770 --- /dev/null +++ b/ext/session/tests/gh13891.phpt @@ -0,0 +1,17 @@ +--TEST-- +GH-13891 (memleak and segfault when using ini_set with session.trans_sid_hosts) +--INI-- +session.use_cookies=0 +session.use_only_cookies=0 +session.use_trans_sid=1 +session.trans_sid_hosts=php.net +--EXTENSIONS-- +session +--SKIPIF-- + +--FILE-- + +--EXPECT-- diff --git a/ext/standard/url_scanner_ex.re b/ext/standard/url_scanner_ex.re index 8e5b43467fc..a4a48b6bf60 100644 --- a/ext/standard/url_scanner_ex.re +++ b/ext/standard/url_scanner_ex.re @@ -138,9 +138,10 @@ static int php_ini_on_update_hosts(zend_ini_entry *entry, zend_string *new_value } keylen = q - key; if (keylen > 0) { - tmp_key = zend_string_init(key, keylen, 0); + /* Note: the hash table is persistently allocated, so the strings must be too! */ + tmp_key = zend_string_init(key, keylen, true); zend_hash_add_empty_element(hosts, tmp_key); - zend_string_release_ex(tmp_key, 0); + zend_string_release_ex(tmp_key, true); } } efree(tmp);