Skip to content

Fix GH-16326: Memory management is broken for bad dictionaries #16335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Fix GH-16326: Memory management is broken for bad dictionaries #16335

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c968f53
Fix GH-16326: Memory management is broken for bad dictionaries
cmb69 Oct 9, 2024
395b1ee
Apply suggested improvements by @TimWolla
cmb69 Oct 10, 2024
3ca9c83
Remove unused variable
cmb69 Oct 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions ext/zlib/tests/gh16326.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
--TEST--
GH-16326 (Memory management is broken for bad dictionaries)
--EXTENSIONS--
zlib
--FILE--
<?php
try {
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", ""]]);
} catch (ValueError $ex) {
echo $ex->getMessage(), "\n";
}
try {
deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => ["hello", "wor\0ld"]]);
} catch (ValueError $ex) {
echo $ex->getMessage(), "\n";
}
?>
--EXPECT--
deflate_init(): Argument #2 ($options) must not contain empty strings
deflate_init(): Argument #2 ($options) must not contain strings with null bytes
8 changes: 4 additions & 4 deletions ext/zlib/zlib.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -807,7 +807,7 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
if (zend_hash_num_elements(dictionary) > 0) {
char *dictptr;
zval *cur;
zend_string **strings = emalloc(sizeof(zend_string *) * zend_hash_num_elements(dictionary));
zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(zend_string *), 0);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(zend_string *), 0);
zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(*strings), 0);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I prefer using sizeof with an expression (in which case I also prefer to omit the parentheses), but I think I've seen it most of the time using a type in php-src. Do we have a style guideline about that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a style guideline about that?

I am not aware of anything.

zend_string **end, **ptr = strings - 1;

ZEND_HASH_FOREACH_VAL(dictionary, cur) {
Expand All @@ -816,10 +816,10 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
*++ptr = zval_get_string(cur);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future we should use the try API here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't make it better, I'm afraid. Now we have to check for EG(exception) but can be sure that *ptr is not NULL; with zval_try_get_string() we no longer have to check for EG(exception), but need to check that *ptr is not NULL before releasing it. Basically, what we did.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, but it is easier to miss checking for EG(exception) and use some sort of default zend_string then not having one in the first place IMHO.

if (!*ptr || ZSTR_LEN(*ptr) == 0 || EG(exception)) {
if (*ptr) {
efree(*ptr);
zend_string_release(*ptr);
}
while (--ptr >= strings) {
efree(ptr);
zend_string_release(*ptr);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this can be adjusted to a do-while loop for consistency with the NUL check case below. Or perhaps this can be unified into a single place with a goto.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, since zval_get_string() always returns a zend_string, we can simplify.

Regarding goto see https://xkcd.com/292/ ;)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer a well-placed goto over duplicating error handling all over the place. In fact it's already a little messy with the EG(exception) check reusing the first if() for the error handling only.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion, it's much better than it was, and I'm fine with. Maybe we get a third opinion. :)

efree(strings);
if (!EG(exception)) {
Expand All @@ -830,7 +830,7 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
for (i = 0; i < ZSTR_LEN(*ptr); i++) {
if (ZSTR_VAL(*ptr)[i] == 0) {
do {
efree(ptr);
zend_string_release(*ptr);
} while (--ptr >= strings);
efree(strings);
zend_argument_value_error(2, "must not contain strings with null bytes");
Expand Down