Fix ht corruption during shutdown for bailing user stream

iluuu1994 · iluuu1994 · commit a6fcf76b5a4f · 2025-10-14T00:03:19.000+02:00
Fixes GH-19844 Closes GH-19849
diff --git a/Zend/tests/gh19844.phpt b/Zend/tests/gh19844.phpt
@@ -0,0 +1,42 @@
+--TEST--
+GH-19844: Bail from stream_close() in zend_shutdown_executor_values()
+--FILE--
+<?php
+
+class Test {
+    public $context;
+    private static $nested = false;
+
+    function stream_open() {
+        return true;
+    }
+
+    function stream_read() {
+        return '.';
+    }
+    function stream_set_option() {}
+    function stream_stat() {}
+
+    function stream_eof() {
+        if (!Test::$nested) {
+            Test::$nested = true;
+            include 'Test://';
+        }
+        @trigger_error('Bail', E_USER_ERROR);
+    }
+
+    function stream_close() {
+        @trigger_error('Bail', E_USER_ERROR);
+    }
+}
+
+stream_wrapper_register('Test', Test::class);
+include 'Test://';
+
+?>
+--EXPECTF--
+Fatal error: Bail in %s on line %d
+
+Fatal error: Bail in %s on line %d
+
+Fatal error: Bail in %s on line %d
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
@@ -274,9 +274,7 @@ ZEND_API void zend_shutdown_executor_values(bool fast_shutdown)
 	zval *zv;
 
 	EG(flags) |= EG_FLAGS_IN_RESOURCE_SHUTDOWN;
-	zend_try {
-		zend_close_rsrc_list(&EG(regular_list));
-	} zend_end_try();
+	zend_close_rsrc_list(&EG(regular_list));
 
 	/* No PHP callback functions should be called after this point. */
 	EG(active) = 0;
diff --git a/Zend/zend_list.c b/Zend/zend_list.c
@@ -217,15 +217,25 @@ void zend_close_rsrc_list(HashTable *ht)
 	/* Reload ht->arData on each iteration, as it may be reallocated. */
 	uint32_t i = ht->nNumUsed;
 
-	while (i-- > 0) {
-		zval *p = ZEND_HASH_ELEMENT(ht, i);
-		if (Z_TYPE_P(p) != IS_UNDEF) {
-			zend_resource *res = Z_PTR_P(p);
-			if (res->type >= 0) {
-				zend_resource_dtor(res);
+retry:
+	zend_try {
+		while (i-- > 0) {
+			zval *p = ZEND_HASH_ELEMENT(ht, i);
+			if (Z_TYPE_P(p) != IS_UNDEF) {
+				zend_resource *res = Z_PTR_P(p);
+				if (res->type >= 0) {
+					zend_resource_dtor(res);
+				}
 			}
 		}
-	}
+	} zend_catch {
+		/* If we have bailed, we probably executed user code (e.g. user stream
+		 * API). Keep closing resources so they don't leak. User handlers must be
+		 * called now so they aren't called in zend_deactivate() on
+		 * zend_destroy_rsrc_list(&EG(regular_list)). At that point, the executor
+		 * has already shut down and the process would crash. */
+		goto retry;
+	} zend_end_try();
 }
 
 
