Commit a67f351

committed

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-18082: Memory leaks in fuzzer SAPI error paths

2 parents 45fc03c + 38e553e commit a67f351Copy full SHA for a67f351

File tree

+22

-17

lines changed

+22

-17

lines changed

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,10 @@ PHP NEWS`
`36`	`36`	`. Fixed bug GH-17991 (Assertion failure dom_attr_value_write). (nielsdos)`
`37`	`37`	`. Fix weird unpack behaviour in DOM. (nielsdos)`
`38`	`38`
	`39`	`+- Fuzzer:`
	`40`	`+ . Fixed bug GH-18081 (Memory leaks in error paths of fuzzer SAPI).`
	`41`	`+ (Lung-Alexandra)`
	`42`	`+`
`39`	`43`	`- GD:`
`40`	`44`	`. Fixed bug GH-17984 (calls with arguments as array with references).`
`41`	`45`	`(David Carlier)`

Lines changed: 5 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,6 @@`
`15`	`15`	`+----------------------------------------------------------------------+`
`16`	`16`	`*/`
`17`	`17`
`18`		`-`
`19`		`-`
`20`	`18`	`#include "fuzzer.h"`
`21`	`19`
`22`	`20`	`#include "Zend/zend.h"`
`@@ -31,14 +29,15 @@`
`31`	`29`	`#include "ext/json/php_json_parser.h"`
`32`	`30`
`33`	`31`	`int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {`
`34`		`- char *data = malloc(Size+1);`
`35`		`- memcpy(data, Data, Size);`
`36`		`- data[Size] = '0円';`
`37`	`32`
`38`		`- if (fuzzer_request_startup() == FAILURE){`
	`33`	`+ if (fuzzer_request_startup() == FAILURE){`
`39`	`34`	`return 0;`
`40`	`35`	`}`
`41`	`36`
	`37`	`+ char *data = malloc(Size + 1);`
	`38`	`+ memcpy(data, Data, Size);`
	`39`	`+ data[Size] = '0円';`
	`40`	`+`
`42`	`41`	`for (int option = 0; option <=1; ++option) {`
`43`	`42`	`zval result;`
`44`	`43`	`php_json_parser parser;`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,15 +30,16 @@`
`30`	`30`
`31`	`31`	`int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {`
`32`	`32`	`#ifdef HAVE_MBREGEX`
`33`		`- char *args[2];`
`34`		`- char *data = malloc(Size+1);`
`35`		`- memcpy(data, Data, Size);`
`36`		`- data[Size] = '0円';`
`37`	`33`
`38`	`34`	`if (fuzzer_request_startup() == FAILURE) {`
`39`	`35`	`return 0;`
`40`	`36`	`}`
`41`	`37`
	`38`	`+ char *args[2];`
	`39`	`+ char *data = malloc(Size+1);`
	`40`	`+ memcpy(data, Data, Size);`
	`41`	`+ data[Size] = '0円';`
	`42`	`+`
`42`	`43`	`fuzzer_setup_dummy_frame();`
`43`	`44`
`44`	`45`	`args[0] = data;`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,14 +30,15 @@`
`30`	`30`	`#include "ext/standard/php_var.h"`
`31`	`31`
`32`	`32`	`int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {`
`33`		`- unsigned char *orig_data = malloc(Size+1);`
`34`		`- memcpy(orig_data, Data, Size);`
`35`		`- orig_data[Size] = '0円';`
`36`	`33`
`37`	`34`	`if (fuzzer_request_startup() == FAILURE) {`
`38`	`35`	`return 0;`
`39`	`36`	`}`
`40`	`37`
	`38`	`+ unsigned char *orig_data = malloc(Size+1);`
	`39`	`+ memcpy(orig_data, Data, Size);`
	`40`	`+ orig_data[Size] = '0円';`
	`41`	`+`
`41`	`42`	`fuzzer_setup_dummy_frame();`
`42`	`43`
`43`	`44`	`{`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {`
`34`	`34`	`}`
`35`	`35`	`++Start;`
`36`	`36`
	`37`	`+ if (fuzzer_request_startup() == FAILURE) {`
	`38`	`+ return 0;`
	`39`	`+ }`
	`40`	`+`
`37`	`41`	`size_t Size = (Data + FullSize) - Start;`
`38`	`42`	`unsigned char *orig_data = malloc(Size+1);`
`39`	`43`	`memcpy(orig_data, Start, Size);`
`40`	`44`	`orig_data[Size] = '0円';`
`41`	`45`
`42`		`- if (fuzzer_request_startup() == FAILURE) {`
`43`		`- return 0;`
`44`		`- }`
`45`		`-`
`46`	`46`	`fuzzer_setup_dummy_frame();`
`47`	`47`
`48`	`48`	`{`

Comments

(0)