Fix GH-10755: Memory leak in phar_rename_archive()

In phar_renmae_archive() context, added one reference but immediately destroyed another, so do not need to increase refcount. With removal of refcount++ line, PHP/Zend no longer reports memory leak. Updated bug69958.phpt test file accordingly. Closes GH-10856
php · Mar 20, 2023 · edae243 · edae243
1 parent 5efd60e
commit edae243
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/NEWS b/NEWS
@@ -98,6 +98,9 @@ PHP                                                                        NEWS
   . pg_fetch_object raises a ValueError instead of an Exception.
     (David Carlier)
 
+- Phar:
+  . Fix memory leak in phar_rename_archive(). (stkeke)
+
 - Posix:
   . Added posix_sysconf. (David Carlier)
   . Added posix_pathconf. (David Carlier)

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -2113,10 +2113,12 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext) /*
 				pphar->flags = phar->flags;
 				pphar->fp = phar->fp;
 				phar->fp = NULL;
+				/* FIX: GH-10755 Double-free issue caught by ASAN check */
+				pphar->alias = phar->alias; /* Transfer alias to pphar to */
+				phar->alias = NULL;         /* avoid being free'd twice   */
 				phar_destroy_phar_data(phar);
 				*sphar = NULL;
 				phar = pphar;
-				phar->refcount++;
 				newpath = oldpath;
 				goto its_ok;
 			}

diff --git a/ext/phar/tests/bug69958.phpt b/ext/phar/tests/bug69958.phpt
@@ -1,7 +1,5 @@
 --TEST--
 Phar: bug #69958: Segfault in Phar::convertToData on invalid file
---XFAIL--
-Still has memory leaks, see https://bugs.php.net/bug.php?id=70005
 --EXTENSIONS--
 phar
 --FILE--
@@ -10,8 +8,8 @@ $tarphar = new PharData(__DIR__.'/bug69958.tar');
 $phar = $tarphar->convertToData(Phar::TAR);
 ?>
 --EXPECTF--
-Fatal error: Uncaught BadMethodCallException: phar "%s/bug69958.tar" exists and must be unlinked prior to conversion in %s/bug69958.php:%d
+Fatal error: Uncaught BadMethodCallException: phar "%sbug69958.tar" exists and must be unlinked prior to conversion in %sbug69958.php:%d
 Stack trace:
-#0 %s/bug69958.php(%d): PharData->convertToData(%d)
+#0 %sbug69958.php(%d): PharData->convertToData(%d)
 #1 {main}
-  thrown in %s/bug69958.php on line %d
+  thrown in %sbug69958.php on line %d