triggers another ZendMM leak

devnexen · devnexen · commit 389512b7e19c · 2024-11-30T00:31:33.000Z
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
@@ -627,20 +627,38 @@ static void php_snmp_internal(INTERNAL_FUNCTION_PARAMETERS, int st,
 /* }}} */
 
 static void php_snmp_zend_string_release_from_char_pointer(char *ptr) {
-	zend_string *pptr = (zend_string *)(ptr - XtOffsetOf(zend_string, val));
-	zend_string_release(pptr);
+	if (ptr) {
+		zend_string *pptr = (zend_string *)(ptr - XtOffsetOf(zend_string, val));
+		if (GC_REFCOUNT(pptr)) {
+			zend_string_release(pptr);
+		} else {
+			efree(pptr);
+		}
+	}
 }
 
-static void php_free_objid_query(struct objid_query *objid_query, zend_string* oid_str, zend_string *value_str, HashTable *value_ht, int st) {
-	if (!oid_str) {
-		for (int i = 0; i < objid_query->count; i ++) {
+static void php_free_objid_query(struct objid_query *objid_query, HashTable* oid_ht, zend_string *value_str, HashTable *value_ht, int st) {
+#define PHP_FREE_OBJID_VAL(arg)									\
+	do {											\
+		if (st & SNMP_CMD_SET) { 							\
+			if (value_str) { 							\
+				php_snmp_zend_string_release_from_char_pointer(arg->value); 	\
+			}									\
+			php_snmp_zend_string_release_from_char_pointer(&arg->type);		\
+		}										\
+		php_snmp_zend_string_release_from_char_pointer(arg->oid);			\
+	} while (0)
+
+	if (oid_ht) {
+		uint32_t i = 0, count = zend_hash_num_elements(oid_ht);
+
+		while (i < count) {
 			snmpobjarg *arg = &objid_query->vars[i];
-			if (st & SNMP_CMD_SET) {
-				if (!value_str && value_ht) {
-					php_snmp_zend_string_release_from_char_pointer(arg->value);
-				}
+			if (!arg->oid) {
+				break;
 			}
-			php_snmp_zend_string_release_from_char_pointer(arg->oid);
+			PHP_FREE_OBJID_VAL(arg);
+			i ++;
 		}
 	}
 	efree(objid_query->vars);
@@ -694,11 +712,12 @@ static bool php_snmp_parse_oid(
 			return false;
 		}
 		objid_query->vars = (snmpobjarg *)safe_emalloc(sizeof(snmpobjarg), zend_hash_num_elements(oid_ht), 0);
+		memset(objid_query->vars, 0, sizeof(snmpobjarg) * zend_hash_num_elements(oid_ht));
 		objid_query->array_output = (st & SNMP_CMD_SET) == 0;
 		ZEND_HASH_FOREACH_VAL(oid_ht, tmp_oid) {
 			zend_string *tmp = zval_try_get_string(tmp_oid);
 			if (!tmp) {
-				efree(objid_query->vars);
+				php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 				return false;
 			}
 			objid_query->vars[objid_query->count].oid = ZSTR_VAL(tmp);
@@ -725,23 +744,23 @@ static bool php_snmp_parse_oid(
 						}
 					}
 					if (idx_type < type_ht->nNumUsed) {
-						zval new;
-						ZVAL_COPY_VALUE(&new, tmp_type);
-						if (!try_convert_to_string(&new)) {
-							php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+						zend_string *type = zval_try_get_string(tmp_type);
+						if (!type) {
+							php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 							return false;
 						}
-						if (Z_STRLEN(new) != 1) {
+						if (ZSTR_LEN(type) != 1) {
 							zend_value_error("Type must be a single character");
-							php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+							zend_string_release(type);
+							php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 							return false;
 						}
-						pptr = Z_STRVAL(new);
+						pptr = ZSTR_VAL(type);
 						objid_query->vars[objid_query->count].type = *pptr;
 						idx_type++;
 					} else {
-						php_error_docref(NULL, E_WARNING, "'%s': no type set", Z_STRVAL_P(tmp_oid));
-						php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+						php_error_docref(NULL, E_WARNING, "'%s': no type set", ZSTR_VAL(tmp));
+						php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 						return false;
 					}
 				}
@@ -769,14 +788,14 @@ static bool php_snmp_parse_oid(
 					if (idx_value < value_ht->nNumUsed) {
 						zend_string *tmp = zval_try_get_string(tmp_value);
 						if (!tmp) {
-							php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+							php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 							return false;
 						}
 						objid_query->vars[objid_query->count].value = ZSTR_VAL(tmp);
 						idx_value++;
 					} else {
-						php_error_docref(NULL, E_WARNING, "'%s': no value set", Z_STRVAL_P(tmp_oid));
-						php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+						php_error_docref(NULL, E_WARNING, "'%s': no value set", ZSTR_VAL(tmp));
+						php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 						return false;
 					}
 				}
@@ -789,14 +808,14 @@ static bool php_snmp_parse_oid(
 	if (st & SNMP_CMD_WALK) {
 		if (objid_query->count > 1) {
 			php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Multi OID walks are not supported!");
-			php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+			php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 			return false;
 		}
 		objid_query->vars[0].name_length = MAX_NAME_LEN;
 		if (strlen(objid_query->vars[0].oid)) { /* on a walk, an empty string means top of tree - no error */
 			if (!snmp_parse_oid(objid_query->vars[0].oid, objid_query->vars[0].name, &(objid_query->vars[0].name_length))) {
 				php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Invalid object identifier: %s", objid_query->vars[0].oid);
-				php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+				php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 				return false;
 			}
 		} else {
@@ -808,7 +827,7 @@ static bool php_snmp_parse_oid(
 			objid_query->vars[objid_query->offset].name_length = MAX_OID_LEN;
 			if (!snmp_parse_oid(objid_query->vars[objid_query->offset].oid, objid_query->vars[objid_query->offset].name, &(objid_query->vars[objid_query->offset].name_length))) {
 				php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Invalid object identifier: %s", objid_query->vars[objid_query->offset].oid);
-				php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
+				php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 				return false;
 			}
 		}
@@ -1285,12 +1304,12 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
 
 	if (session_less_mode) {
 		if (!netsnmp_session_init(&session, version, a1, a2, timeout, retries)) {
-			php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
+			php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 			netsnmp_session_free(&session);
 			RETURN_FALSE;
 		}
 		if (version == SNMP_VERSION_3 && !netsnmp_session_set_security(session, a3, a4, a5, a6, a7, NULL, NULL)) {
-			php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
+			php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 			netsnmp_session_free(&session);
 			/* Warning message sent already, just bail out */
 			RETURN_FALSE;
@@ -1301,7 +1320,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
 		session = snmp_object->session;
 		if (!session) {
 			zend_throw_error(NULL, "Invalid or uninitialized SNMP object");
-			php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
+			php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 			RETURN_THROWS();
 		}
 
@@ -1335,7 +1354,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
 		netsnmp_ds_set_int(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_OID_OUTPUT_FORMAT, glob_snmp_object.oid_output_format);
 	}
 
-	php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
+	php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 }
 /* }}} */
 
diff --git a/ext/snmp/tests/gh16959.phpt b/ext/snmp/tests/gh16959.phpt
@@ -19,6 +19,22 @@ var_dump(snmpget($hostname, "", $bad_object_ids) === false);
 var_dump($bad_object_ids);
 try {
 	snmpget($hostname, "", [0 => new stdClass()]);
+} catch (Throwable $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+	snmp2_set($hostname, $communityWrite, $bad_object_ids, array(new stdClass()), array(null));
+} catch (Throwable $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	snmp2_set($hostname, $communityWrite, $bad_object_ids, array("toolongtype"), array(null));
+} catch (Throwable $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	snmp2_set($hostname, $communityWrite, $bad_object_ids, array(str_repeat("onetoomuch", random_int(1, 1))), array(null));
 } catch (Throwable $e) {
 	echo $e->getMessage();
 }
@@ -48,3 +64,6 @@ array(4) {
   int(0)
 }
 Object of class stdClass could not be converted to string
+Object of class stdClass could not be converted to string
+Type must be a single character
+Type must be a single character
