Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-16326: Memory management is broken for bad dictionaries
2025-08-15 21:48:51 +02:00 · 2024-10-13 02:30:22 +02:00 · 2024-10-13 02:30:22 +02:00 · a7918a7ac3
commit a7918a7ac3
parent b7e39970d3 631c04e690
3 changed files with 43 additions and 19 deletions
--- a/4
+++ b/4
@ -54,6 +54,10 @@ PHP                                                                        NEWS
  . Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
    (nielsdos)

+- Zlib:
+  . Fixed bug GH-16326 (Memory management is broken for bad dictionaries.)
+    (cmb)
+
 10 Oct 2024, PHP 8.4.0RC2

 - CGI:
--- a/ext/zlib/tests/gh16326.phpt
+++ b/ext/zlib/tests/gh16326.phpt
@ -0,0 +1,26 @@
+--TEST--
+GH-16326 (Memory management is broken for bad dictionaries)
+--EXTENSIONS--
+zlib
+--FILE--
+<?php
+try {
+    deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", ""]]);
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+try {
+    deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => ["hello", "wor\0ld"]]);
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+try {
+    deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", new stdClass]]);
+} catch (Error $ex) {
+    echo $ex->getMessage(), "\n";
+}
+?>
+--EXPECT--
+deflate_init(): Argument #2 ($options) must not contain empty strings
+deflate_init(): Argument #2 ($options) must not contain strings with null bytes
+Object of class stdClass could not be converted to string
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@ -804,35 +804,29 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
 				if (zend_hash_num_elements(dictionary) > 0) {
 					char *dictptr;
 					zval *cur;
-					zend_string **strings = emalloc(sizeof(zend_string *) * zend_hash_num_elements(dictionary));
+					zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(zend_string *), 0);
 					zend_string **end, **ptr = strings - 1;

 					ZEND_HASH_FOREACH_VAL(dictionary, cur) {
-						size_t i;
-
 						*++ptr = zval_get_string(cur);
-						if (!*ptr || ZSTR_LEN(*ptr) == 0 || EG(exception)) {
-							if (*ptr) {
-								efree(*ptr);
-							}
-							while (--ptr >= strings) {
-								efree(ptr);
-							}
+						ZEND_ASSERT(*ptr);
+						if (ZSTR_LEN(*ptr) == 0 || EG(exception)) {
+							do {
+								zend_string_release(*ptr);
+							} while (--ptr >= strings);
 							efree(strings);
 							if (!EG(exception)) {
 								zend_argument_value_error(2, "must not contain empty strings");
 							}
 							return 0;
 						}
-						for (i = 0; i < ZSTR_LEN(*ptr); i++) {
-							if (ZSTR_VAL(*ptr)[i] == 0) {
-								do {
-									efree(ptr);
-								} while (--ptr >= strings);
-								efree(strings);
-								zend_argument_value_error(2, "must not contain strings with null bytes");
-								return 0;
-							}
+						if (zend_str_has_nul_byte(*ptr)) {
+							do {
+								zend_string_release(*ptr);
+							} while (--ptr >= strings);
+							efree(strings);
+							zend_argument_value_error(2, "must not contain strings with null bytes");
+							return 0;
 						}

 						*dictlen += ZSTR_LEN(*ptr) + 1;