Fix GH-18082: Memory leaks in fuzzer SAPI error paths

Closes GH-18081.

Author: Lung-Alexandra

NEWS

@@ -25,6 +25,10 @@ PHP                                                                        NEWS
 - Embed:
   . Fixed bug GH-8533 (Unable to link dynamic libphp on Mac). (Kévin Dunglas)
 
+- Fuzzer:
+  . Fixed bug GH-18081 (Memory leaks in error paths of fuzzer SAPI).
+    (Lung-Alexandra)
+
 - Mbstring:
   . Fixed bug GH-17989 (mb_output_handler crash with unset
     http_output_conv_mimetypes). (nielsdos)

sapi/fuzzer/fuzzer-json.c

@@ -15,8 +15,6 @@
    +----------------------------------------------------------------------+
  */
 
-
-
 #include "fuzzer.h"
 
 #include "Zend/zend.h"
@@ -31,14 +29,15 @@
 #include "ext/json/php_json_parser.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
+	if (fuzzer_request_startup() == FAILURE){
 		return 0;
 	}
 
+	char *data = malloc(Size + 1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
 	for (int option = 0; option <=1; ++option) {
 		zval result;
 		php_json_parser parser;

sapi/fuzzer/fuzzer-mbregex.c

@@ -30,15 +30,16 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 #ifdef HAVE_MBREGEX
-	char *args[2];
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
 
 	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+	char *args[2];
+	char *data = malloc(Size+1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	args[0] = data;

sapi/fuzzer/fuzzer-unserialize.c

@@ -30,14 +30,15 @@
 #include "ext/standard/php_var.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	unsigned char *orig_data = malloc(Size+1);
-	memcpy(orig_data, Data, Size);
-	orig_data[Size] = '\0';
 
 	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+	unsigned char *orig_data = malloc(Size+1);
+	memcpy(orig_data, Data, Size);
+	orig_data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	{

sapi/fuzzer/fuzzer-unserializehash.c

@@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
 	}
 	++Start;
 
+	if (fuzzer_request_startup() == FAILURE) {
+		return 0;
+	}
+
 	size_t Size = (Data + FullSize) - Start;
 	unsigned char *orig_data = malloc(Size+1);
 	memcpy(orig_data, Start, Size);
 	orig_data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
-		return 0;
-	}
-
 	fuzzer_setup_dummy_frame();
 
 	{