Fix key leaks in mb_convert_encoding()

nikic · nikic · commit 3b53d28e607b · 2019-04-12T10:36:58.000+02:00
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -3269,7 +3269,7 @@ MBSTRING_API HashTable *php_mb_convert_encoding_recursive(HashTable *input, cons
 {
 	HashTable *output, *chash;
 	zend_long idx;
-	zend_string *key, *key_tmp;
+	zend_string *key;
 	zval *entry, entry_tmp;
 	size_t ckey_len, cval_len;
 	char *ckey, *cval;
@@ -3289,7 +3289,8 @@ MBSTRING_API HashTable *php_mb_convert_encoding_recursive(HashTable *input, cons
 		/* convert key */
 		if (key) {
 			ckey = php_mb_convert_encoding(ZSTR_VAL(key), ZSTR_LEN(key), _to_encoding, _from_encodings, &ckey_len);
-			key_tmp = zend_string_init(ckey, ckey_len, 0);
+			key = zend_string_init(ckey, ckey_len, 0);
+			efree(ckey);
 		}
 		/* convert value */
 		ZEND_ASSERT(entry);
@@ -3317,13 +3318,14 @@ MBSTRING_API HashTable *php_mb_convert_encoding_recursive(HashTable *input, cons
 			case IS_OBJECT:
 			default:
 				if (key) {
-					efree(key_tmp);
+					zend_string_release(key);
 				}
 				php_error_docref(NULL, E_WARNING, "Object is not supported");
 				continue;
 		}
 		if (key) {
-			zend_hash_add(output, key_tmp, &entry_tmp);
+			zend_hash_add(output, key, &entry_tmp);
+			zend_string_release(key);
 		} else {
 			zend_hash_index_add(output, idx, &entry_tmp);
 		}
diff --git a/ext/mbstring/tests/mb_convert_encoding_leak.phpt b/ext/mbstring/tests/mb_convert_encoding_leak.phpt
@@ -0,0 +1,16 @@
+--TEST--
+mb_convert_encoding() shouldn't leak keys
+--FILE--
+<?php
+
+$x = "x";
+$array = ["foo" . $x => "bar"];
+mb_convert_encoding($array, 'UTF-8', 'UTF-8');
+var_dump($array);
+
+?>
+--EXPECT--
+array(1) {
+  ["foox"]=>
+  string(3) "bar"
+}
