]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5477d68)
Fix key leaks in mb_convert_encoding()
authorNikita Popov <nikita.ppv@gmail.com>
Fri, 12 Apr 2019 08:36:26 +0000 (10:36 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Fri, 12 Apr 2019 08:36:58 +0000 (10:36 +0200)
ext/mbstring/mbstring.c patch | blob | history
ext/mbstring/tests/mb_convert_encoding_leak.phpt [new file with mode: 0644] patch | blob

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 9973313985c081884b02dd421e6976b86557e65c..c73a427a68ac52f8fdbb1e8e881b6f7340fb55b1 100644 (file)
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3269,7 +3269,7 @@ MBSTRING_API HashTable *php_mb_convert_encoding_recursive(HashTable *input, cons
 {
        HashTable *output, *chash;
        zend_long idx;
-       zend_string *key, *key_tmp;
+       zend_string *key;
        zval *entry, entry_tmp;
        size_t ckey_len, cval_len;
        char *ckey, *cval;
@@ -3289,7 +3289,8 @@ MBSTRING_API HashTable *php_mb_convert_encoding_recursive(HashTable *input, cons
                /* convert key */
                if (key) {
                        ckey = php_mb_convert_encoding(ZSTR_VAL(key), ZSTR_LEN(key), _to_encoding, _from_encodings, &ckey_len);
-                       key_tmp = zend_string_init(ckey, ckey_len, 0);
+                       key = zend_string_init(ckey, ckey_len, 0);
+                       efree(ckey);
                }
                /* convert value */
                ZEND_ASSERT(entry);
@@ -3317,13 +3318,14 @@ MBSTRING_API HashTable *php_mb_convert_encoding_recursive(HashTable *input, cons
                        case IS_OBJECT:
                        default:
                                if (key) {
-                                       efree(key_tmp);
+                                       zend_string_release(key);
                                }
                                php_error_docref(NULL, E_WARNING, "Object is not supported");
                                continue;
                }
                if (key) {
-                       zend_hash_add(output, key_tmp, &entry_tmp);
+                       zend_hash_add(output, key, &entry_tmp);
+                       zend_string_release(key);
                } else {
                        zend_hash_index_add(output, idx, &entry_tmp);
                }
diff --git a/ext/mbstring/tests/mb_convert_encoding_leak.phpt b/ext/mbstring/tests/mb_convert_encoding_leak.phpt
new file mode 100644 (file)
index 0000000..4e626b0
--- /dev/null
+++ b/ext/mbstring/tests/mb_convert_encoding_leak.phpt
@@ -0,0 +1,16 @@
+--TEST--
+mb_convert_encoding() shouldn't leak keys
+--FILE--
+<?php
+
+$x = "x";
+$array = ["foo" . $x => "bar"];
+mb_convert_encoding($array, 'UTF-8', 'UTF-8');
+var_dump($array);
+
+?>
+--EXPECT--
+array(1) {
+  ["foox"]=>
+  string(3) "bar"
+}
Unnamed repository; edit this file 'description' to name the repository.