Fix #76167: mbstring may use pointer from some previous request

We must not reuse per-request memory across multiple requests, so this check triggered during RINIT makes no sense. As explained in the bug report[1], it can be even harmful, if some request startup fails, and the pointers refer to already freed memory in the next request. [1] <https://bugs.php.net/76167> Closes GH-7604.
php · Oct 25, 2021 · d3d6d79 · d3d6d79
1 parent 56495ac
commit d3d6d79
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/NEWS b/NEWS
@@ -14,6 +14,10 @@ PHP                                                                        NEWS
   . Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege
     escalation) (CVE-2021-21703). (Jakub Zelenka)
 
+- MBString:
+  . Fixed bug #76167 (mbstring may use pointer from some previous request).
+    (cmb, cataphract)
+
 - MySQLi:
   . Fixed bug #81494 (Stopped unbuffered query does not throw error). (Nikita)
 

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -5208,10 +5208,6 @@ static void php_mb_populate_current_detect_order_list(void)
 	const mbfl_encoding **entry = 0;
 	size_t nentries;
 
-	if (MBSTRG(current_detect_order_list)) {
-		return;
-	}
-
 	if (MBSTRG(detect_order_list) && MBSTRG(detect_order_list_size)) {
 		nentries = MBSTRG(detect_order_list_size);
 		entry = (const mbfl_encoding **)safe_emalloc(nentries, sizeof(mbfl_encoding*), 0);