Fix GH-16326: Memory management is broken for bad dictionaries

cmb69 · cmb69 · commit d94be24f30bc · 2024-10-13T02:28:07.000+02:00
We must not `efree()` `zend_string`s, since they may have a refcount greater than one, and may even be interned. We also must not confuse `zend_string *` with `zend_string **`. And we should play it safe by using `safe_emalloc()` to avoid theoretical integer overflows. We also simplify a bit, according to suggestions of @TimWolla. Closes GH-16335.
diff --git a/NEWS b/NEWS
@@ -46,6 +46,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
     (nielsdos)
 
+- Zlib:
+  . Fixed bug GH-16326 (Memory management is broken for bad dictionaries.)
+    (cmb)
+
 24 Oct 2024, PHP 8.2.25
 
 - Calendar:
diff --git a/ext/zlib/tests/gh16326.phpt b/ext/zlib/tests/gh16326.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-16326 (Memory management is broken for bad dictionaries)
+--EXTENSIONS--
+zlib
+--FILE--
+<?php
+try {
+    deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", ""]]);
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+try {
+    deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => ["hello", "wor\0ld"]]);
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+try {
+    deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [" ", new stdClass]]);
+} catch (Error $ex) {
+    echo $ex->getMessage(), "\n";
+}
+?>
+--EXPECT--
+deflate_init(): Argument #2 ($options) must not contain empty strings
+deflate_init(): Argument #2 ($options) must not contain strings with null bytes
+Object of class stdClass could not be converted to string
diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c
@@ -807,35 +807,29 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
 				if (zend_hash_num_elements(dictionary) > 0) {
 					char *dictptr;
 					zval *cur;
-					zend_string **strings = emalloc(sizeof(zend_string *) * zend_hash_num_elements(dictionary));
+					zend_string **strings = safe_emalloc(zend_hash_num_elements(dictionary), sizeof(zend_string *), 0);
 					zend_string **end, **ptr = strings - 1;
 
 					ZEND_HASH_FOREACH_VAL(dictionary, cur) {
-						size_t i;
-
 						*++ptr = zval_get_string(cur);
-						if (!*ptr || ZSTR_LEN(*ptr) == 0 || EG(exception)) {
-							if (*ptr) {
-								efree(*ptr);
-							}
-							while (--ptr >= strings) {
-								efree(ptr);
-							}
+						ZEND_ASSERT(*ptr);
+						if (ZSTR_LEN(*ptr) == 0 || EG(exception)) {
+							do {
+								zend_string_release(*ptr);
+							} while (--ptr >= strings);
 							efree(strings);
 							if (!EG(exception)) {
 								zend_argument_value_error(2, "must not contain empty strings");
 							}
 							return 0;
 						}
-						for (i = 0; i < ZSTR_LEN(*ptr); i++) {
-							if (ZSTR_VAL(*ptr)[i] == 0) {
-								do {
-									efree(ptr);
-								} while (--ptr >= strings);
-								efree(strings);
-								zend_argument_value_error(2, "must not contain strings with null bytes");
-								return 0;
-							}
+						if (zend_str_has_nul_byte(*ptr)) {
+							do {
+								zend_string_release(*ptr);
+							} while (--ptr >= strings);
+							efree(strings);
+							zend_argument_value_error(2, "must not contain strings with null bytes");
+							return 0;
 						}
 
 						*dictlen += ZSTR_LEN(*ptr) + 1;
