From cc93bbb765a15123db0320ff50113de0300bcb11 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 7 Aug 2025 19:27:58 +0200 Subject: [PATCH] Fix GH-19397: mb_list_encodings() can cause crashes on shutdown The request shutdown does not necessarily hold the last reference, if there is still a CV that refers to the array. Closes GH-19405. --- NEWS | 4 ++++ ext/mbstring/mbstring.c | 4 ++-- ext/mbstring/tests/gh19397.phpt | 11 +++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 ext/mbstring/tests/gh19397.phpt diff --git a/NEWS b/NEWS index 33ce00bc0ca..fd2aad2d4e8 100644 --- a/NEWS +++ b/NEWS @@ -46,6 +46,10 @@ PHP NEWS . Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free). (nielsdos) +- MbString: + . Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown). + (nielsdos) + - Opcache: . Reset global pointers to prevent use-after-free in zend_jit_status(). (Florian Engelhardt) diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index dec565707fa..1d5c27a2a38 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -1165,8 +1165,8 @@ PHP_RSHUTDOWN_FUNCTION(mbstring) MBSTRG(outconv_state) = 0; if (MBSTRG(all_encodings_list)) { - GC_DELREF(MBSTRG(all_encodings_list)); - zend_array_destroy(MBSTRG(all_encodings_list)); + /* must be *array* release to remove from GC root buffer and free the hashtable itself */ + zend_array_release(MBSTRG(all_encodings_list)); MBSTRG(all_encodings_list) = NULL; } diff --git a/ext/mbstring/tests/gh19397.phpt b/ext/mbstring/tests/gh19397.phpt new file mode 100644 index 00000000000..e6e07b161c0 --- /dev/null +++ b/ext/mbstring/tests/gh19397.phpt @@ -0,0 +1,11 @@ +--TEST-- +GH-19397 (mb_list_encodings() can cause crashes on shutdown) +--EXTENSIONS-- +mbstring +--FILE-- + 0); +?> +--EXPECT-- +bool(true)