Merge branch 'PHP-8.3' into PHP-8.4

nielsdos · nielsdos · commit a67f351b671b · 2025-03-16T16:38:55.000+01:00
* PHP-8.3: Fix GH-18082: Memory leaks in fuzzer SAPI error paths
diff --git a/NEWS b/NEWS
@@ -36,6 +36,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17991 (Assertion failure dom_attr_value_write). (nielsdos)
   . Fix weird unpack behaviour in DOM. (nielsdos)
 
+- Fuzzer:
+  . Fixed bug GH-18081 (Memory leaks in error paths of fuzzer SAPI).
+    (Lung-Alexandra)
+
 - GD:
   . Fixed bug GH-17984 (calls with arguments as array with references).
     (David Carlier)
diff --git a/sapi/fuzzer/fuzzer-json.c b/sapi/fuzzer/fuzzer-json.c
@@ -15,8 +15,6 @@
    +----------------------------------------------------------------------+
  */
 
-
-
 #include "fuzzer.h"
 
 #include "Zend/zend.h"
@@ -31,14 +29,15 @@
 #include "ext/json/php_json_parser.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
+	if (fuzzer_request_startup() == FAILURE){
 		return 0;
 	}
 
+	char *data = malloc(Size + 1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
 	for (int option = 0; option <=1; ++option) {
 		zval result;
 		php_json_parser parser;
diff --git a/sapi/fuzzer/fuzzer-mbregex.c b/sapi/fuzzer/fuzzer-mbregex.c
@@ -30,15 +30,16 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 #ifdef HAVE_MBREGEX
-	char *args[2];
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
 
 	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+	char *args[2];
+	char *data = malloc(Size+1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	args[0] = data;
diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c
@@ -30,14 +30,15 @@
 #include "ext/standard/php_var.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	unsigned char *orig_data = malloc(Size+1);
-	memcpy(orig_data, Data, Size);
-	orig_data[Size] = '\0';
 
 	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+	unsigned char *orig_data = malloc(Size+1);
+	memcpy(orig_data, Data, Size);
+	orig_data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	{
diff --git a/sapi/fuzzer/fuzzer-unserializehash.c b/sapi/fuzzer/fuzzer-unserializehash.c
@@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
 	}
 	++Start;
 
+	if (fuzzer_request_startup() == FAILURE) {
+		return 0;
+	}
+
 	size_t Size = (Data + FullSize) - Start;
 	unsigned char *orig_data = malloc(Size+1);
 	memcpy(orig_data, Start, Size);
 	orig_data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
-		return 0;
-	}
-
 	fuzzer_setup_dummy_frame();
 
 	{
