From 83722a5fdc8d8e4c25dbe7f608d2f95cc9c56532 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 5 Mar 2025 18:40:22 +0100 Subject: [PATCH] Fix memory leaks in array_any() / array_all() The return value is overwritten, but if the key was not an interned string we should destroy it. Closes GH-17977. --- ext/standard/array.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/ext/standard/array.c b/ext/standard/array.c index 7fdc26ccf4a..99e338a9cd6 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -6629,6 +6629,11 @@ static zend_result php_array_find(const HashTable *array, zend_fcall_info fci, z zend_result result = zend_call_function(&fci, &fci_cache); ZEND_ASSERT(result == SUCCESS); +<<<<<<< HEAD +======= + if (EXPECTED(!Z_ISUNDEF(retval))) { + int retval_true; +>>>>>>> 2701b97011 (Fix memory leaks in array_any() / array_all()) if (UNEXPECTED(EG(exception))) { return FAILURE; @@ -6637,6 +6642,7 @@ static zend_result php_array_find(const HashTable *array, zend_fcall_info fci, z bool retval_true = zend_is_true(&retval); zval_ptr_dtor(&retval); +<<<<<<< HEAD /* This negates the condition, if negate_condition is true. Otherwise it does nothing with `retval_true`. */ retval_true ^= negate_condition; @@ -6650,6 +6656,10 @@ static zend_result php_array_find(const HashTable *array, zend_fcall_info fci, z } break; +======= + if (UNEXPECTED(Z_ISUNDEF(retval))) { + return FAILURE; +>>>>>>> 2701b97011 (Fix memory leaks in array_any() / array_all()) } } ZEND_HASH_FOREACH_END(); @@ -6717,7 +6727,11 @@ PHP_FUNCTION(array_any) RETURN_THROWS(); } - RETURN_BOOL(Z_TYPE_P(return_value) != IS_UNDEF); + bool retval = !Z_ISUNDEF_P(return_value); + if (Z_TYPE_P(return_value) == IS_STRING) { + zval_ptr_dtor_str(return_value); + } + RETURN_BOOL(retval); } /* }}} */ @@ -6737,7 +6751,11 @@ PHP_FUNCTION(array_all) RETURN_THROWS(); } - RETURN_BOOL(Z_TYPE_P(return_value) == IS_UNDEF); + bool retval = Z_ISUNDEF_P(return_value); + if (Z_TYPE_P(return_value) == IS_STRING) { + zval_ptr_dtor_str(return_value); + } + RETURN_BOOL(retval); } /* }}} */