archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix various memory leaks in curl mime handling
This commit is contained in:
Niels Dossche 2024-11-26 20:39:30 +01:00
commit 8206de62f7
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
2 changed files with 23 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -7,6 +7,9 @@ PHP NEWS
skipLazyInitialization() may change initialized proxy). (Arnaud) skipLazyInitialization() may change initialized proxy). (Arnaud)
. Fix is_zend_ptr() huge block comparison. (nielsdos) . Fix is_zend_ptr() huge block comparison. (nielsdos)
- Curl:
. Fix various memory leaks in curl mime handling. (nielsdos)
- DOM: - DOM:
. Fixed bug GH-16906 (Reloading document can cause UAF in iterator). . Fixed bug GH-16906 (Reloading document can cause UAF in iterator).
(nielsdos) (nielsdos)

35
ext/curl/interface.c
View file

@ -1438,7 +1438,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
postval = Z_STR_P(prop); postval = Z_STR_P(prop);
if (php_check_open_basedir(ZSTR_VAL(postval))) { if (php_check_open_basedir(ZSTR_VAL(postval))) {
return FAILURE; goto out_string;
} }
prop = zend_read_property(curl_CURLFile_class, Z_OBJ_P(current), "mime", sizeof("mime")-1, 0, &rv); prop = zend_read_property(curl_CURLFile_class, Z_OBJ_P(current), "mime", sizeof("mime")-1, 0, &rv);
@ -1463,15 +1463,18 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
seekfunc = NULL; seekfunc = NULL;
} }
part = curl_mime_addpart(mime);
if (part == NULL) {
if (stream) {
php_stream_close(stream);
}
goto out_string;
}
cb_arg = emalloc(sizeof *cb_arg); cb_arg = emalloc(sizeof *cb_arg);
cb_arg->filename = zend_string_copy(postval); cb_arg->filename = zend_string_copy(postval);
cb_arg->stream = stream; cb_arg->stream = stream;
part = curl_mime_addpart(mime);
if (part == NULL) {
zend_string_release_ex(string_key, 0);
return FAILURE;
}
if ((form_error = curl_mime_name(part, ZSTR_VAL(string_key))) != CURLE_OK if ((form_error = curl_mime_name(part, ZSTR_VAL(string_key))) != CURLE_OK
|| (form_error = curl_mime_data_cb(part, filesize, read_cb, seekfunc, free_cb, cb_arg)) != CURLE_OK || (form_error = curl_mime_data_cb(part, filesize, read_cb, seekfunc, free_cb, cb_arg)) != CURLE_OK
|| (form_error = curl_mime_filename(part, filename ? filename : ZSTR_VAL(postval))) != CURLE_OK || (form_error = curl_mime_filename(part, filename ? filename : ZSTR_VAL(postval))) != CURLE_OK
@ -1492,8 +1495,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "postname", sizeof("postname")-1, 0, &rv); prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "postname", sizeof("postname")-1, 0, &rv);
if (EG(exception)) { if (EG(exception)) {
zend_string_release_ex(string_key, 0); goto out_string;
return FAILURE;
} }
ZVAL_DEREF(prop); ZVAL_DEREF(prop);
ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING); ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING);
@ -1502,8 +1504,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "mime", sizeof("mime")-1, 0, &rv); prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "mime", sizeof("mime")-1, 0, &rv);
if (EG(exception)) { if (EG(exception)) {
zend_string_release_ex(string_key, 0); goto out_string;
return FAILURE;
} }
ZVAL_DEREF(prop); ZVAL_DEREF(prop);
ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING); ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING);
@ -1512,8 +1513,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "data", sizeof("data")-1, 0, &rv); prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "data", sizeof("data")-1, 0, &rv);
if (EG(exception)) { if (EG(exception)) {
zend_string_release_ex(string_key, 0); goto out_string;
return FAILURE;
} }
ZVAL_DEREF(prop); ZVAL_DEREF(prop);
ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING); ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING);
@ -1525,8 +1525,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
part = curl_mime_addpart(mime); part = curl_mime_addpart(mime);
if (part == NULL) { if (part == NULL) {
zend_string_release_ex(string_key, 0); goto out_string;
return FAILURE;
} }
if ((form_error = curl_mime_name(part, ZSTR_VAL(string_key))) != CURLE_OK if ((form_error = curl_mime_name(part, ZSTR_VAL(string_key))) != CURLE_OK
|| (form_error = curl_mime_data(part, ZSTR_VAL(postval), ZSTR_LEN(postval))) != CURLE_OK || (form_error = curl_mime_data(part, ZSTR_VAL(postval), ZSTR_LEN(postval))) != CURLE_OK
@ -1557,7 +1556,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
SAVE_CURL_ERROR(ch, error); SAVE_CURL_ERROR(ch, error);
if (error != CURLE_OK) { if (error != CURLE_OK) {
return FAILURE; goto out_mime;
} }
if ((*ch->clone) == 1) { if ((*ch->clone) == 1) {
@ -1568,6 +1567,12 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
SAVE_CURL_ERROR(ch, error); SAVE_CURL_ERROR(ch, error);
return error == CURLE_OK ? SUCCESS : FAILURE; return error == CURLE_OK ? SUCCESS : FAILURE;
out_string:
zend_string_release_ex(string_key, false);
out_mime:
curl_mime_free(mime);
return FAILURE;
} }
/* }}} */ /* }}} */