Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix leak+crash with sapi_windows_set_ctrl_handler()
2025-08-15 13:38:49 +02:00 · 2025-05-05 19:14:13 +02:00 · 2025-05-05 19:14:13 +02:00 · d4a3e437ae
commit d4a3e437ae
parent 2e2077172d fb3536fd60
5 changed files with 55 additions and 2 deletions
--- a/3
+++ b/3
@ -38,6 +38,9 @@ PHP                                                                        NEWS
  . Fixed bug GH-17403 (Potential deadlock when putenv fails). (nielsdos)
  . Fixed bug GH-18400 (http_build_query type error is inaccurate). (nielsdos)

+- Windows:
+  . Fix leak+crash with sapi_windows_set_ctrl_handler(). (nielsdos)
+
 - Zip:
  . Fixed bug GH-18431 (Registering ZIP progress callback twice doesn't work).
    (nielsdos)
--- a/sapi/cli/tests/sapi_windows_set_ctrl_handler_leak.phpt
+++ b/sapi/cli/tests/sapi_windows_set_ctrl_handler_leak.phpt
@ -0,0 +1,28 @@
+--TEST--
+sapi_windows_set_ctrl_handler() leak bug
+--SKIPIF--
+<?php
+include "skipif.inc";
+
+if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')
+  die("skip this test is for Windows platforms only");
+?>
+--FILE--
+<?php
+
+class Test {
+	public function set() {
+		sapi_windows_set_ctrl_handler(self::cb(...));
+	}
+	public function cb() {
+	}
+}
+
+$test = new Test;
+$test->set();
+
+echo "Done\n";
+
+?>
+--EXPECT--
+Done
--- a/win32/globals.c
+++ b/win32/globals.c
@ -63,5 +63,7 @@ PHP_RSHUTDOWN_FUNCTION(win32_core_globals)
 {/*{{{*/
 	closelog();

+	php_win32_signal_ctrl_handler_request_shutdown();
+
 	return SUCCESS;
 }/*}}}*/
--- a/win32/signal.c
+++ b/win32/signal.c
@ -68,9 +68,28 @@ PHP_WINUTIL_API void php_win32_signal_ctrl_handler_shutdown(void)
 	zend_interrupt_function = orig_interrupt_function;
 	orig_interrupt_function = NULL;
 	vm_interrupt_flag = NULL;
-	ZVAL_UNDEF(&ctrl_handler);
 }/*}}}*/

+PHP_WINUTIL_API void php_win32_signal_ctrl_handler_request_shutdown(void)
+{
+	/* Must be initialized and in main thread */
+	if (!vm_interrupt_flag) {
+		return;
+	}
+#ifdef ZTS
+	if (!tsrm_is_main_thread()) {
+		return;
+	}
+#endif
+
+	/* The ctrl_handler must be cleared between requests, otherwise we can crash
+	 * due to accessing a previous request's memory. */
+	if (!Z_ISUNDEF(ctrl_handler)) {
+		zval_ptr_dtor(&ctrl_handler);
+		ZVAL_UNDEF(&ctrl_handler);
+	}
+}
+
 static BOOL WINAPI php_win32_signal_system_ctrl_handler(DWORD evt)
 {/*{{{*/
 	if (CTRL_C_EVENT != evt && CTRL_BREAK_EVENT != evt) {
@ -125,7 +144,7 @@ PHP_FUNCTION(sapi_windows_set_ctrl_handler)
 		RETURN_FALSE;
 	}

-	zval_ptr_dtor_nogc(&ctrl_handler);
+	zval_ptr_dtor(&ctrl_handler);
 	ZVAL_COPY(&ctrl_handler, &fci.function_name);

 	RETURN_TRUE;
--- a/win32/signal.h
+++ b/win32/signal.h
@ -10,6 +10,7 @@
 #define	SIGPROF	27				/* profiling time alarm */

 PHP_WINUTIL_API void php_win32_signal_ctrl_handler_init(void);
+PHP_WINUTIL_API void php_win32_signal_ctrl_handler_request_shutdown(void);
 PHP_WINUTIL_API void php_win32_signal_ctrl_handler_shutdown(void);

 #endif /* PHP_WIN32_SIGNAL_H */