Fix phpGH-14643 ext/standard: segfault on user shutdown function release. (php#14656)

devnexen · web-flow · commit bc585cd87ae5 · 2024-06-25T21:13:15.000+01:00
diff --git a/Zend/zend_hash.h b/Zend/zend_hash.h
@@ -851,15 +851,16 @@ static zend_always_inline void *zend_hash_index_update_mem(HashTable *ht, zend_u
 
 static zend_always_inline void *zend_hash_next_index_insert_mem(HashTable *ht, void *pData, size_t size)
 {
-	zval tmp, *zv;
+	zval tmp;
 
-	ZVAL_PTR(&tmp, NULL);
-	if ((zv = zend_hash_next_index_insert(ht, &tmp))) {
-		Z_PTR_P(zv) = pemalloc(size, GC_FLAGS(ht) & IS_ARRAY_PERSISTENT);
-		memcpy(Z_PTR_P(zv), pData, size);
-		return Z_PTR_P(zv);
+	void *p = pemalloc(size, GC_FLAGS(ht) & IS_ARRAY_PERSISTENT);
+	memcpy(p, pData, size);
+	ZVAL_PTR(&tmp, p);
+	if (!zend_hash_next_index_insert(ht, &tmp)) {
+		pefree(p, GC_FLAGS(ht) & IS_ARRAY_PERSISTENT);
+		return NULL;
 	}
-	return NULL;
+	return p;
 }
 
 static zend_always_inline void *zend_hash_find_ptr(const HashTable *ht, zend_string *key)
diff --git a/ext/standard/tests/gh14643_longname.phpt b/ext/standard/tests/gh14643_longname.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-14643: Segfault on empty user function.
+--FILE--
+<?php
+class Logger {
+	public function __construct() {
+		register_shutdown_function(function () {
+			$this->flush();
+			register_shutdown_function([$this, 'flush'], true);
+		});
+	}
+	public function flush($final = false) {
+	}
+}
+while (true) {
+	$a = new Logger();
+}
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of %d bytes exhausted %s
+
+Fatal error: Allowed memory size of %d bytes exhausted %s
