diff options
| -rw-r--r-- | ext/standard/string.c | 16 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug79951.phpt | 10 |
2 files changed, 16 insertions, 10 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index bfa2d57088..9a877ce138 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4090,11 +4090,8 @@ PHPAPI void php_stripslashes(zend_string *str) /* {{{ php_str_replace_in_subject */ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zend_string *subject_str, zval *result, int case_sensitivity) { - zval *search_entry, - *replace_entry = NULL; - zend_string *tmp_result, - *tmp_replace_entry_str = NULL, - *replace_entry_str; + zval *search_entry; + zend_string *tmp_result; char *replace_value = NULL; size_t replace_len = 0; zend_long replace_count = 0; @@ -4124,10 +4121,12 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zend_st /* Make sure we're dealing with strings. */ zend_string *tmp_search_str; zend_string *search_str = zval_get_tmp_string(search_entry, &tmp_search_str); + zend_string *replace_entry_str, *tmp_replace_entry_str = NULL; /* If replace is an array. */ if (Z_TYPE_P(replace) == IS_ARRAY) { /* Get current entry */ + zval *replace_entry = NULL; while (replace_idx < Z_ARRVAL_P(replace)->nNumUsed) { replace_entry = &Z_ARRVAL_P(replace)->arData[replace_idx].val; if (Z_TYPE_P(replace_entry) != IS_UNDEF) { @@ -4184,15 +4183,12 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zend_st } } else { zend_tmp_string_release(tmp_search_str); + zend_tmp_string_release(tmp_replace_entry_str); continue; } zend_tmp_string_release(tmp_search_str); - - if (tmp_replace_entry_str) { - zend_string_release_ex(tmp_replace_entry_str, 0); - tmp_replace_entry_str = NULL; - } + zend_tmp_string_release(tmp_replace_entry_str); if (subject_str == tmp_result) { zend_string_delref(subject_str); diff --git a/ext/standard/tests/strings/bug79951.phpt b/ext/standard/tests/strings/bug79951.phpt new file mode 100644 index 0000000000..5663ba6cb7 --- /dev/null +++ b/ext/standard/tests/strings/bug79951.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #79951: Memory leak in str_replace of empty string +--FILE-- +<?php + +var_dump(str_replace([""], [1000], "foo")); + +?> +--EXPECT-- +string(3) "foo" |