diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2020-08-11 10:33:59 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-08-11 10:33:59 +0200 |
| commit | 9d9dffe60aee0fb469ee0d414eca2a5033a7eafc (patch) | |
| tree | 00dc8c587676f8dc4c5495e57b13fe3ce8335a65 | |
| parent | 07cb2755bec2fe4671b35defc9e76f495ce6e9d1 (diff) | |
| download | php-git-9d9dffe60aee0fb469ee0d414eca2a5033a7eafc.tar.gz | |
Fixed bug #79951
One branch did not release tmp_replace_entry_str.
Also reduce the scope of some variables.
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/string.c | 16 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug79951.phpt | 10 |
3 files changed, 17 insertions, 10 deletions
@@ -27,6 +27,7 @@ PHP NEWS . Fixed bug #79930 (array_merge_recursive() crashes when called with array with single reference). (Nikita) . Fixed bug #79944 (getmxrr always returns true on Alpine linux). (Nikita) + . Fixed bug #79951 (Memory leak in str_replace of empty string). (Nikita) - XML: . Fixed bug #79922 (Crash after multiple calls to xml_parser_free()). (cmb) diff --git a/ext/standard/string.c b/ext/standard/string.c index 8cf206533a..b070a5e827 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4269,12 +4269,9 @@ PHPAPI void php_stripslashes(zend_string *str) */ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *subject, zval *result, int case_sensitivity) { - zval *search_entry, - *replace_entry = NULL; + zval *search_entry; zend_string *tmp_result, - *tmp_subject_str, - *tmp_replace_entry_str = NULL, - *replace_entry_str; + *tmp_subject_str; char *replace_value = NULL; size_t replace_len = 0; zend_long replace_count = 0; @@ -4308,10 +4305,12 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *s /* Make sure we're dealing with strings. */ zend_string *tmp_search_str; zend_string *search_str = zval_get_tmp_string(search_entry, &tmp_search_str); + zend_string *replace_entry_str, *tmp_replace_entry_str = NULL; /* If replace is an array. */ if (Z_TYPE_P(replace) == IS_ARRAY) { /* Get current entry */ + zval *replace_entry = NULL; while (replace_idx < Z_ARRVAL_P(replace)->nNumUsed) { replace_entry = &Z_ARRVAL_P(replace)->arData[replace_idx].val; if (Z_TYPE_P(replace_entry) != IS_UNDEF) { @@ -4368,15 +4367,12 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *s } } else { zend_tmp_string_release(tmp_search_str); + zend_tmp_string_release(tmp_replace_entry_str); continue; } zend_tmp_string_release(tmp_search_str); - - if (tmp_replace_entry_str) { - zend_string_release_ex(tmp_replace_entry_str, 0); - tmp_replace_entry_str = NULL; - } + zend_tmp_string_release(tmp_replace_entry_str); if (subject_str == tmp_result) { zend_string_delref(subject_str); diff --git a/ext/standard/tests/strings/bug79951.phpt b/ext/standard/tests/strings/bug79951.phpt new file mode 100644 index 0000000000..5663ba6cb7 --- /dev/null +++ b/ext/standard/tests/strings/bug79951.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #79951: Memory leak in str_replace of empty string +--FILE-- +<?php + +var_dump(str_replace([""], [1000], "foo")); + +?> +--EXPECT-- +string(3) "foo" |