Fix memory leaks in sapi/fuzzer

Lung-Alexandra · Lung-Alexandra · commit c8da762cd047 · 2025-03-16T10:46:54.000+02:00
diff --git a/sapi/fuzzer/fuzzer-json.c b/sapi/fuzzer/fuzzer-json.c
@@ -31,14 +31,15 @@
 #include "ext/json/php_json_parser.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
+    if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+    char *data = malloc(Size+1);
+    memcpy(data, Data, Size);
+    data[Size] = '\0';
+
 	for (int option = 0; option <=1; ++option) {
 		zval result;
 		php_json_parser parser;
diff --git a/sapi/fuzzer/fuzzer-mbregex.c b/sapi/fuzzer/fuzzer-mbregex.c
@@ -30,15 +30,16 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 #ifdef HAVE_MBREGEX
-	char *args[2];
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
-
+    
 	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+    char *args[2];
+    char *data = malloc(Size+1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	args[0] = data;
diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c
@@ -30,14 +30,15 @@
 #include "ext/standard/php_var.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	unsigned char *orig_data = malloc(Size+1);
-	memcpy(orig_data, Data, Size);
-	orig_data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
+    if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+    unsigned char *orig_data = malloc(Size+1);
+    memcpy(orig_data, Data, Size);
+    orig_data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	{
diff --git a/sapi/fuzzer/fuzzer-unserializehash.c b/sapi/fuzzer/fuzzer-unserializehash.c
@@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
 	}
 	++Start;
 
-	size_t Size = (Data + FullSize) - Start;
-	unsigned char *orig_data = malloc(Size+1);
-	memcpy(orig_data, Start, Size);
-	orig_data[Size] = '\0';
-
 	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+    size_t Size = (Data + FullSize) - Start;
+    unsigned char *orig_data = malloc(Size+1);
+    memcpy(orig_data, Start, Size);
+    orig_data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	{

Original file line number	Diff line number	Diff line change
`@@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {`
`34`	`34`	`}`
`35`	`35`	`++Start;`
`36`	`36`
`37`		`- size_t Size = (Data + FullSize) - Start;`
`38`		`- unsigned char *orig_data = malloc(Size+1);`
`39`		`- memcpy(orig_data, Start, Size);`
`40`		`- orig_data[Size] = '\0';`
`41`		`-`
`42`	`37`	`if (fuzzer_request_startup() == FAILURE) {`
`43`	`38`	`return 0;`
`44`	`39`	`}`
`45`	`40`
	`41`	`+ size_t Size = (Data + FullSize) - Start;`
	`42`	`+ unsigned char *orig_data = malloc(Size+1);`
	`43`	`+ memcpy(orig_data, Start, Size);`
	`44`	`+ orig_data[Size] = '\0';`
	`45`	`+`
`46`	`46`	`fuzzer_setup_dummy_frame();`
`47`	`47`
`48`	`48`	`{`