Fix memory leak when user filter does not fully consume the input brigade buckets #20058
Conversation
…gade buckets Since the _php_stream_write_filtered() function assumes that the input brigade will be emptied (as it clears one of the bucket brigades), any unconsumed bucket will leak. The other filters do not suffer from this as they abort cleanly with an error code. It's also possible to fix this in _php_stream_write_filtered() with an extra check, but since the user filter is the only one that has this bug and already checks for this condition, we fix it there instead. For completeness, a fix in _php_stream_write_filtered() would look like this: ```diff diff --git a/main/streams/streams.c b/main/streams/streams.c index 372ed66..720f3c15dd7 100644 --- a/main/streams/streams.c +++ b/main/streams/streams.c @@ -1242,6 +1242,15 @@ static ssize_t _php_stream_write_filtered(php_stream *stream, const char *buf, s if (status != PSFS_PASS_ON) { break; } + /* If the filter did not process the entire input brigade, then the buckets need to be freed + * manually or they will be lost when setting up the brigades for next iteration. */ + if (UNEXPECTED(brig_inp->head)) { + do { + bucket = brig_inp->head; + php_stream_bucket_unlink(bucket); + php_stream_bucket_delref(bucket); + } while (brig_inp->head); + } /* brig_out becomes brig_in. * brig_in will always be empty here, as the filter MUST attach any un-consumed buckets * to its own brigade */ ``` Co-authored-by: Gina Peter Banyard <girgias@php.net>
arnaud-lb
left a comment
arnaud-lb
left a comment
There was a problem hiding this comment.
This looks good to me
It's also possible to fix this in _php_stream_write_filtered() with an extra check, but since the user filter is the only one that has this bug and already checks for this condition, we fix it there instead.
Could we add an assertion in _php_stream_write_filtered() so we don't make this error when implementing new internal filters?
|
I will take a look in couple of weeks. |
|
Note to self: would need to remove the XFAIL of |
bukka
left a comment
bukka
left a comment
There was a problem hiding this comment.
I think this is right place to do it because user filter breaks the contract (input brigade must be empty after processing) but I'm not sure about this change ff84cb0 that applies the same logic for PSFS_FEED_ME and PSFS_FEED_FATAL. I think it should be dropped there and applied only to user filter. I'm not sure if even the out part is needed anywhere else than user filter..?
|
@bukka Okay I agree. I've moved that logic to the user filter now. |
| } | ||
|
|
||
| /* Filter could've broken contract and added buckets anyway. */ | ||
| if (ret == PSFS_FEED_ME && buckets_out->head) { |
There was a problem hiding this comment.
I think I'd need to double check whether this ret check is too specific (e.g. do we also need to do anything on FATAL).
3 participants
Since the _php_stream_write_filtered() function assumes that the input brigade will be emptied (as it clears one of the bucket brigades), any unconsumed bucket will leak. The other filters do not suffer from this as they abort cleanly with an error code.
It's also possible to fix this in _php_stream_write_filtered() with an extra check, but since the user filter is the only one that has this bug and already checks for this condition, we fix it there instead.
For completeness, the alternative i.e. a fix in _php_stream_write_filtered() would look like this: