Skip to content

Fix GH-17399: iconv memory leak with large line-length#12

Closed
iliaal wants to merge 1 commit intomasterfrom
fix/gh-17399-iconv-leak
Closed

Fix GH-17399: iconv memory leak with large line-length#12
iliaal wants to merge 1 commit intomasterfrom
fix/gh-17399-iconv-leak

Conversation

@iliaal
Copy link
Copy Markdown
Owner

@iliaal iliaal commented Mar 26, 2026

Summary

_php_iconv_mime_encode() opens two iconv_t handles via system malloc, then calls safe_emalloc(1, max_line_len, 5). When max_line_len is PHP_INT_MAX, the allocation triggers an OOM bailout that skips iconv_close() cleanup, leaking both handles.

Fix: move safe_emalloc before both iconv_open() calls. If it bails out, no handles exist to leak.

@cmb69 suggested this approach in the issue thread.

Test plan

  • ext/iconv/tests/gh17399.phpt triggers the OOM path
  • Leak is only observable under LSAN; the .phpt confirms correct OOM behavior
  • Full ext/iconv/tests/ suite passes with zero regressions

@iliaal
Fix phpGH-17399: iconv memory leak with large line-length
a9eeac2 
Move the buf allocation in _php_iconv_mime_encode() before the
iconv_open() calls. When max_line_len is excessively large (e.g.
PHP_INT_MAX), safe_emalloc triggers an OOM bailout that skips
cleanup, leaking the iconv handles allocated via system malloc.
By allocating buf first, a bailout happens before any iconv
handles exist.

Closes phpGH-17399
@iliaal
Copy link
Copy Markdown
Owner Author

iliaal commented Mar 26, 2026

Submitted upstream as php#21541

@iliaal iliaal closed this Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iliaal