Skip to content

Commit ab1d5a9

Browse files
bwoebibwoebi
committed
Merge branch 'PHP-8.1'
2 parents 19273ff + 01b91cb commit ab1d5a9

File tree

2 files changed

+50
-3
lines changed

2 files changed

+50
-3
lines changed

ext/ffi/ffi.c

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -861,6 +861,14 @@ static void zend_ffi_callback_hash_dtor(zval *zv) /* {{{ */
861861
if (callback_data->fcc.function_handler->common.fn_flags & ZEND_ACC_CLOSURE) {
862862
OBJ_RELEASE(ZEND_CLOSURE_OBJECT(callback_data->fcc.function_handler));
863863
}
864+
for (int i = 0; i < callback_data->arg_count; ++i) {
865+
if (callback_data->arg_types[i]->type == FFI_TYPE_STRUCT) {
866+
efree(callback_data->arg_types[i]);
867+
}
868+
}
869+
if (callback_data->ret_type->type == FFI_TYPE_STRUCT) {
870+
efree(callback_data->ret_type);
871+
}
864872
efree(callback_data);
865873
}
866874
/* }}} */
@@ -914,6 +922,8 @@ static void zend_ffi_callback_trampoline(ffi_cif* cif, void* ret, void** args, v
914922
if (ret_type->kind != ZEND_FFI_TYPE_VOID) {
915923
zend_ffi_zval_to_cdata(ret, ret_type, &retval);
916924
}
925+
926+
zval_ptr_dtor(&retval);
917927
}
918928
/* }}} */
919929

@@ -964,6 +974,11 @@ static void *zend_ffi_create_callback(zend_ffi_type *type, zval *value) /* {{{ *
964974
callback_data->arg_types[n] = zend_ffi_get_type(arg_type);
965975
if (!callback_data->arg_types[n]) {
966976
zend_ffi_pass_unsupported(arg_type);
977+
for (int i = 0; i < n; ++i) {
978+
if (callback_data->arg_types[i]->type == FFI_TYPE_STRUCT) {
979+
efree(callback_data->arg_types[i]);
980+
}
981+
}
967982
efree(callback_data);
968983
ffi_closure_free(callback);
969984
return NULL;
@@ -974,20 +989,32 @@ static void *zend_ffi_create_callback(zend_ffi_type *type, zval *value) /* {{{ *
974989
callback_data->ret_type = zend_ffi_get_type(ZEND_FFI_TYPE(type->func.ret_type));
975990
if (!callback_data->ret_type) {
976991
zend_ffi_return_unsupported(type->func.ret_type);
992+
for (int i = 0; i < callback_data->arg_count; ++i) {
993+
if (callback_data->arg_types[i]->type == FFI_TYPE_STRUCT) {
994+
efree(callback_data->arg_types[i]);
995+
}
996+
}
977997
efree(callback_data);
978998
ffi_closure_free(callback);
979999
return NULL;
9801000
}
9811001

9821002
if (ffi_prep_cif(&callback_data->cif, type->func.abi, callback_data->arg_count, callback_data->ret_type, callback_data->arg_types) != FFI_OK) {
9831003
zend_throw_error(zend_ffi_exception_ce, "Cannot prepare callback CIF");
984-
efree(callback_data);
985-
ffi_closure_free(callback);
986-
return NULL;
1004+
goto free_on_failure;
9871005
}
9881006

9891007
if (ffi_prep_closure_loc(callback, &callback_data->cif, zend_ffi_callback_trampoline, callback_data, code) != FFI_OK) {
9901008
zend_throw_error(zend_ffi_exception_ce, "Cannot prepare callback");
1009+
free_on_failure: ;
1010+
for (int i = 0; i < callback_data->arg_count; ++i) {
1011+
if (callback_data->arg_types[i]->type == FFI_TYPE_STRUCT) {
1012+
efree(callback_data->arg_types[i]);
1013+
}
1014+
}
1015+
if (callback_data->ret_type->type == FFI_TYPE_STRUCT) {
1016+
efree(callback_data->ret_type);
1017+
}
9911018
efree(callback_data);
9921019
ffi_closure_free(callback);
9931020
return NULL;

ext/ffi/tests/gh8433.phpt

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
--TEST--
2+
GH-8433 (Assigning function pointers to structs in FFI leaks memory)
3+
--FILE--
4+
<?php
5+
6+
$ffi = FFI::cdef("typedef struct { int a; } bar;");
7+
$x = $ffi->new("bar(*)(void)");
8+
FFI::addr($x)[0] = function() use ($ffi) {
9+
$bar = $ffi->new("bar");
10+
$bar->a = 2;
11+
return $bar;
12+
};
13+
var_dump($x());
14+
15+
?>
16+
--EXPECTF--
17+
object(FFI\CData:struct <anonymous>)#%d (1) {
18+
["a"]=>
19+
int(2)
20+
}

0 commit comments

Comments
 (0)