Merge branch 'PHP-8.2' into PHP-8.3

nielsdos · nielsdos · commit eaa2b61acbd6 · 2024-11-01T20:43:28.000+01:00
* PHP-8.2: Fix GH-16604: Memory leaks in SPL constructors
diff --git a/NEWS b/NEWS
@@ -120,6 +120,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). (nielsdos)
   . Fixed bug GH-14687 (segfault on SplObjectIterator instance).
     (David Carlier)
+  . Fixed bug GH-16604 (Memory leaks in SPL constructors). (nielsdos)
 
 - Standard:
   . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
@@ -2046,6 +2046,12 @@ PHP_METHOD(SplFileObject, __construct)
 		RETURN_THROWS();
 	}
 
+	/* Prevent reinitialization of Object */
+	if (UNEXPECTED(intern->u.file.stream)) {
+		zend_throw_error(NULL, "Cannot call constructor twice");
+		RETURN_THROWS();
+	}
+
 	intern->u.file.open_mode = zend_string_copy(open_mode);
 	/* file_name and zcontext are copied by spl_filesystem_file_open() */
 	intern->file_name = file_name;
@@ -2089,7 +2095,7 @@ PHP_METHOD(SplTempFileObject, __construct)
 	}
 
 	/* Prevent reinitialization of Object */
-	if (intern->u.file.stream) {
+	if (UNEXPECTED(intern->u.file.stream)) {
 		zend_throw_error(NULL, "Cannot call constructor twice");
 		RETURN_THROWS();
 	}
diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c
@@ -532,6 +532,20 @@ static zend_result spl_get_iterator_from_aggregate(zval *retval, zend_class_entr
 	return SUCCESS;
 }
 
+static void spl_RecursiveIteratorIterator_free_iterators(spl_recursive_it_object *object)
+{
+	if (object->iterators) {
+		while (object->level >= 0) {
+			zend_object_iterator *sub_iter = object->iterators[object->level].iterator;
+			zend_iterator_dtor(sub_iter);
+			zval_ptr_dtor(&object->iterators[object->level].zobject);
+			object->level--;
+		}
+		efree(object->iterators);
+		object->iterators = NULL;
+	}
+}
+
 static void spl_recursive_it_it_construct(INTERNAL_FUNCTION_PARAMETERS, zend_class_entry *ce_base, zend_class_entry *ce_inner, recursive_it_it_type rit_type)
 {
 	zval *object = ZEND_THIS;
@@ -598,6 +612,7 @@ static void spl_recursive_it_it_construct(INTERNAL_FUNCTION_PARAMETERS, zend_cla
 	}
 
 	intern = Z_SPLRECURSIVE_IT_P(object);
+	spl_RecursiveIteratorIterator_free_iterators(intern);
 	intern->iterators = emalloc(sizeof(spl_sub_iterator));
 	intern->level = 0;
 	intern->mode = mode;
@@ -644,6 +659,7 @@ static void spl_recursive_it_it_construct(INTERNAL_FUNCTION_PARAMETERS, zend_cla
 	intern->iterators[0].getchildren = NULL;
 
 	if (EG(exception)) {
+		// TODO: use spl_RecursiveIteratorIterator_free_iterators
 		zend_object_iterator *sub_iter;
 
 		while (intern->level >= 0) {
@@ -952,16 +968,7 @@ static void spl_RecursiveIteratorIterator_free_storage(zend_object *_object)
 {
 	spl_recursive_it_object *object = spl_recursive_it_from_obj(_object);
 
-	if (object->iterators) {
-		while (object->level >= 0) {
-			zend_object_iterator *sub_iter = object->iterators[object->level].iterator;
-			zend_iterator_dtor(sub_iter);
-			zval_ptr_dtor(&object->iterators[object->level].zobject);
-			object->level--;
-		}
-		efree(object->iterators);
-		object->iterators = NULL;
-	}
+	spl_RecursiveIteratorIterator_free_iterators(object);
 
 	zend_object_std_dtor(&object->std);
 	for (size_t i = 0; i < 6; i++) {
diff --git a/ext/spl/tests/gh16604_1.phpt b/ext/spl/tests/gh16604_1.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-16604 (Memory leaks in SPL constructors) - recursive iterators
+--FILE--
+<?php
+
+$traversable = new RecursiveArrayIterator( [] );
+
+$obj = new RecursiveIteratorIterator( $traversable );
+$obj->__construct( $traversable );
+
+$obj = new RecursiveTreeIterator( $traversable );
+$obj->__construct( $traversable );
+
+?>
+--EXPECT--
diff --git a/ext/spl/tests/gh16604_2.phpt b/ext/spl/tests/gh16604_2.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-16604 (Memory leaks in SPL constructors) - SplFileObject
+--FILE--
+<?php
+
+file_put_contents(__DIR__.'/gh16604_2.tmp', 'hello');
+
+$obj = new SplFileObject(__DIR__.'/gh16604_2.tmp');
+try {
+    $obj->__construct(__DIR__.'/gh16604_2.tmp');
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__.'/gh16604_2.tmp');
+?>
+--EXPECT--
+Cannot call constructor twice

Original file line number	Diff line number	Diff line change
`@@ -2046,6 +2046,12 @@ PHP_METHOD(SplFileObject, __construct)`
`2046`	`2046`	`RETURN_THROWS();`
`2047`	`2047`	`}`
`2048`	`2048`
	`2049`	`+ /* Prevent reinitialization of Object */`
	`2050`	`+ if (UNEXPECTED(intern->u.file.stream)) {`
	`2051`	`+ zend_throw_error(NULL, "Cannot call constructor twice");`
	`2052`	`+ RETURN_THROWS();`
	`2053`	`+ }`
	`2054`	`+`
`2049`	`2055`	`intern->u.file.open_mode = zend_string_copy(open_mode);`
`2050`	`2056`	`/* file_name and zcontext are copied by spl_filesystem_file_open() */`
`2051`	`2057`	`intern->file_name = file_name;`
`@@ -2089,7 +2095,7 @@ PHP_METHOD(SplTempFileObject, __construct)`
`2089`	`2095`	`}`
`2090`	`2096`
`2091`	`2097`	`/* Prevent reinitialization of Object */`
`2092`		`- if (intern->u.file.stream) {`
	`2098`	`+ if (UNEXPECTED(intern->u.file.stream)) {`
`2093`	`2099`	`zend_throw_error(NULL, "Cannot call constructor twice");`
`2094`	`2100`	`RETURN_THROWS();`
`2095`	`2101`	`}`