Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
  Fix various memory leaks in curl mime handling

Author: nielsdos

NEWS

@@ -7,6 +7,9 @@ PHP                                                                        NEWS
     skipLazyInitialization() may change initialized proxy). (Arnaud)
   . Fix is_zend_ptr() huge block comparison. (nielsdos)
 
+- Curl:
+  . Fix various memory leaks in curl mime handling. (nielsdos)
+
 - DOM:
   . Fixed bug GH-16906 (Reloading document can cause UAF in iterator).
     (nielsdos)

ext/curl/interface.c

@@ -1438,7 +1438,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 				postval = Z_STR_P(prop);
 
 				if (php_check_open_basedir(ZSTR_VAL(postval))) {
-					return FAILURE;
+					goto out_string;
 				}
 
 				prop = zend_read_property(curl_CURLFile_class, Z_OBJ_P(current), "mime", sizeof("mime")-1, 0, &rv);
@@ -1463,15 +1463,18 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 					seekfunc = NULL;
 				}
 
+				part = curl_mime_addpart(mime);
+				if (part == NULL) {
+					if (stream) {
+						php_stream_close(stream);
+					}
+					goto out_string;
+				}
+
 				cb_arg = emalloc(sizeof *cb_arg);
 				cb_arg->filename = zend_string_copy(postval);
 				cb_arg->stream = stream;
 
-				part = curl_mime_addpart(mime);
-				if (part == NULL) {
-					zend_string_release_ex(string_key, 0);
-					return FAILURE;
-				}
 				if ((form_error = curl_mime_name(part, ZSTR_VAL(string_key))) != CURLE_OK
 					|| (form_error = curl_mime_data_cb(part, filesize, read_cb, seekfunc, free_cb, cb_arg)) != CURLE_OK
 					|| (form_error = curl_mime_filename(part, filename ? filename : ZSTR_VAL(postval))) != CURLE_OK
@@ -1492,8 +1495,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 
 			prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "postname", sizeof("postname")-1, 0, &rv);
 			if (EG(exception)) {
-				zend_string_release_ex(string_key, 0);
-				return FAILURE;
+				goto out_string;
 			}
 			ZVAL_DEREF(prop);
 			ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING);
@@ -1502,8 +1504,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 
 			prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "mime", sizeof("mime")-1, 0, &rv);
 			if (EG(exception)) {
-				zend_string_release_ex(string_key, 0);
-				return FAILURE;
+				goto out_string;
 			}
 			ZVAL_DEREF(prop);
 			ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING);
@@ -1512,8 +1513,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 
 			prop = zend_read_property(curl_CURLStringFile_class, Z_OBJ_P(current), "data", sizeof("data")-1, 0, &rv);
 			if (EG(exception)) {
-				zend_string_release_ex(string_key, 0);
-				return FAILURE;
+				goto out_string;
 			}
 			ZVAL_DEREF(prop);
 			ZEND_ASSERT(Z_TYPE_P(prop) == IS_STRING);
@@ -1525,8 +1525,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 
 			part = curl_mime_addpart(mime);
 			if (part == NULL) {
-				zend_string_release_ex(string_key, 0);
-				return FAILURE;
+				goto out_string;
 			}
 			if ((form_error = curl_mime_name(part, ZSTR_VAL(string_key))) != CURLE_OK
 				|| (form_error = curl_mime_data(part, ZSTR_VAL(postval), ZSTR_LEN(postval))) != CURLE_OK
@@ -1557,7 +1556,7 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 
 	SAVE_CURL_ERROR(ch, error);
 	if (error != CURLE_OK) {
-		return FAILURE;
+		goto out_mime;
 	}
 
 	if ((*ch->clone) == 1) {
@@ -1568,6 +1567,12 @@ static inline zend_result build_mime_structure_from_hash(php_curl *ch, zval *zpo
 
 	SAVE_CURL_ERROR(ch, error);
 	return error == CURLE_OK ? SUCCESS : FAILURE;
+
+out_string:
+	zend_string_release_ex(string_key, false);
+out_mime:
+	curl_mime_free(mime);
+	return FAILURE;
 }
 /* }}} */