wudi · pull · Oct 12, 2025 · Oct 12, 2025 · Oct 12, 2025 · Oct 12, 2025
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -3629,9 +3629,11 @@ PHP_FUNCTION(imagefilter)
 		RETURN_THROWS();
 	}
 
-	if (filtertype >= 0 && filtertype <= IMAGE_FILTER_MAX) {
-		filters[filtertype](INTERNAL_FUNCTION_PARAM_PASSTHRU);
+	if (UNEXPECTED(filtertype < 0 || filtertype > IMAGE_FILTER_MAX)) {
+		zend_argument_value_error(2, "must be one of the IMG_FILTER_* filter constants");
+		RETURN_THROWS();
 	}
+	filters[filtertype](INTERNAL_FUNCTION_PARAM_PASSTHRU);
 }
 /* }}} */
 

diff --git a/ext/gd/tests/imagefilter_invalid_filter_error.phpt b/ext/gd/tests/imagefilter_invalid_filter_error.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-20070: Testing wrong parameter passing in imagefilter() of GD library
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$image = imagecreatetruecolor(1, 1);
+
+try {
+    var_dump(imagefilter($image, -1));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+ValueError: imagefilter(): Argument #2 ($filter) must be one of the IMG_FILTER_* filter constants
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -34,6 +34,17 @@ static zend_class_entry *phar_ce_data;
 static zend_class_entry *phar_ce_PharException;
 static zend_class_entry *phar_ce_entry;
 
+#define PHAR_FETCH_INTERNAL_EX(zv) (void *)((char *) Z_OBJ_P(zv) - Z_OBJ_P(zv)->handlers->offset);
+#define PHAR_FETCH_INTERNAL() PHAR_FETCH_INTERNAL_EX(ZEND_THIS)
+
+#define PHAR_ARCHIVE_OBJECT() \
+	phar_archive_object *phar_obj = PHAR_FETCH_INTERNAL(); \
+	if (!phar_obj->archive) { \
+		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, \
+			"Cannot call method on an uninitialized Phar object"); \
+		RETURN_THROWS(); \
+	}
+
 static int phar_file_type(HashTable *mimes, char *file, char **mime_type) /* {{{ */
 {
 	char *ext;
@@ -1119,11 +1130,11 @@ PHP_METHOD(Phar, __construct)
 	zend_long format = 0;
 	phar_archive_object *phar_obj;
 	phar_archive_data   *phar_data;
-	zval *zobj = ZEND_THIS, arg1, arg2;
+	zval arg1, arg2;
 
-	phar_obj = (phar_archive_object*)((char*)Z_OBJ_P(zobj) - Z_OBJ_P(zobj)->handlers->offset);
+	phar_obj = PHAR_FETCH_INTERNAL();
 
-	is_data = instanceof_function(Z_OBJCE_P(zobj), phar_ce_data);
+	is_data = instanceof_function(Z_OBJCE_P(ZEND_THIS), phar_ce_data);
 
 	if (is_data) {
 		if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) {
@@ -1223,7 +1234,7 @@ PHP_METHOD(Phar, __construct)
 	ZVAL_LONG(&arg2, flags);
 
 	zend_call_known_instance_method_with_2_params(spl_ce_RecursiveDirectoryIterator->constructor,
-		Z_OBJ_P(zobj), NULL, &arg1, &arg2);
+		Z_OBJ_P(ZEND_THIS), NULL, &arg1, &arg2);
 
 	zval_ptr_dtor(&arg1);
 
@@ -1353,20 +1364,10 @@ PHP_METHOD(Phar, unlinkArchive)
 }
 /* }}} */
 
-#define PHAR_ARCHIVE_OBJECT() \
-	zval *zobj = ZEND_THIS; \
-	phar_archive_object *phar_obj = (phar_archive_object*)((char*)Z_OBJ_P(zobj) - Z_OBJ_P(zobj)->handlers->offset); \
-	if (!phar_obj->archive) { \
-		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, \
-			"Cannot call method on an uninitialized Phar object"); \
-		RETURN_THROWS(); \
-	}
-
 /* {{{ if persistent, remove from the cache */
 PHP_METHOD(Phar, __destruct)
 {
-	zval *zobj = ZEND_THIS;
-	phar_archive_object *phar_obj = (phar_archive_object*)((char*)Z_OBJ_P(zobj) - Z_OBJ_P(zobj)->handlers->offset);
+	phar_archive_object *phar_obj = PHAR_FETCH_INTERNAL();
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		RETURN_THROWS();
@@ -1458,7 +1459,7 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */
 		case IS_OBJECT:
 			if (instanceof_function(Z_OBJCE_P(value), spl_ce_SplFileInfo)) {
 				char *test = NULL;
-				spl_filesystem_object *intern = (spl_filesystem_object*)((char*)Z_OBJ_P(value) - Z_OBJ_P(value)->handlers->offset);
+				spl_filesystem_object *intern = PHAR_FETCH_INTERNAL_EX(value);
 
 				if (!base_len) {
 					zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Iterator %s returns an SplFileInfo object, so base directory must be specified", ZSTR_VAL(ce->name));
@@ -1729,7 +1730,6 @@ PHP_METHOD(Phar, buildFromDirectory)
 	}
 
 	if (SUCCESS != object_init_ex(&iter, spl_ce_RecursiveDirectoryIterator)) {
-		zval_ptr_dtor(&iter);
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Unable to instantiate directory iterator for %s", phar_obj->archive->fname);
 		RETURN_THROWS();
 	}
@@ -1747,7 +1747,6 @@ PHP_METHOD(Phar, buildFromDirectory)
 
 	if (SUCCESS != object_init_ex(&iteriter, spl_ce_RecursiveIteratorIterator)) {
 		zval_ptr_dtor(&iter);
-		zval_ptr_dtor(&iteriter);
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Unable to instantiate directory iterator for %s", phar_obj->archive->fname);
 		RETURN_THROWS();
 	}
@@ -1768,7 +1767,6 @@ PHP_METHOD(Phar, buildFromDirectory)
 
 		if (SUCCESS != object_init_ex(&regexiter, spl_ce_RegexIterator)) {
 			zval_ptr_dtor(&iteriter);
-			zval_ptr_dtor(&regexiter);
 			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Unable to instantiate regex iterator for %s", phar_obj->archive->fname);
 			RETURN_THROWS();
 		}
@@ -2199,9 +2197,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext) /*
 		ce = phar_ce_archive;
 	}
 
-	ZVAL_NULL(&ret);
 	if (SUCCESS != object_init_ex(&ret, ce)) {
-		zval_ptr_dtor(&ret);
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Unable to instantiate phar object when converting archive \"%s\"", phar->fname);
 		return NULL;
 	}
@@ -2734,21 +2730,15 @@ PHP_METHOD(Phar, setAlias)
 		RETURN_TRUE;
 	}
 	if (NULL != (fd_ptr = zend_hash_find_ptr(&(PHAR_G(phar_alias_map)), new_alias))) {
-		spprintf(&error, 0, "alias \"%s\" is already used for archive \"%s\" and cannot be used for other archives", ZSTR_VAL(new_alias), fd_ptr->fname);
-		if (SUCCESS == phar_free_alias(fd_ptr, ZSTR_VAL(new_alias), ZSTR_LEN(new_alias))) {
-			efree(error);
-			goto valid_alias;
+		if (SUCCESS != phar_free_alias(fd_ptr, ZSTR_VAL(new_alias), ZSTR_LEN(new_alias))) {
+			zend_throw_exception_ex(phar_ce_PharException, 0, "alias \"%s\" is already used for archive \"%s\" and cannot be used for other archives", ZSTR_VAL(new_alias), fd_ptr->fname);
+			RETURN_THROWS();
 		}
-		zend_throw_exception_ex(phar_ce_PharException, 0, "%s", error);
-		efree(error);
-		RETURN_THROWS();
-	}
-	if (!phar_validate_alias(ZSTR_VAL(new_alias), ZSTR_LEN(new_alias))) {
+	} else if (!phar_validate_alias(ZSTR_VAL(new_alias), ZSTR_LEN(new_alias))) {
 		zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
 			"Invalid alias \"%s\" specified for phar \"%s\"", ZSTR_VAL(new_alias), phar_obj->archive->fname);
 		RETURN_THROWS();
 	}
-valid_alias:
 	if (phar_obj->archive->is_persistent && FAILURE == phar_copy_on_write(&(phar_obj->archive))) {
 		zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname);
 		RETURN_THROWS();
@@ -2758,13 +2748,15 @@ PHP_METHOD(Phar, setAlias)
 		readd = 1;
 	}
 
+	ZEND_ASSERT(!phar_obj->archive->is_persistent);
+
 	oldalias = phar_obj->archive->alias;
 	oldalias_len = phar_obj->archive->alias_len;
 	old_temp = phar_obj->archive->is_temporary_alias;
 
 	phar_obj->archive->alias_len = ZSTR_LEN(new_alias);
 	if (phar_obj->archive->alias_len) {
-		phar_obj->archive->alias = pestrndup(ZSTR_VAL(new_alias), ZSTR_LEN(new_alias), phar_obj->archive->is_persistent);
+		phar_obj->archive->alias = estrndup(ZSTR_VAL(new_alias), ZSTR_LEN(new_alias));
 	} else {
 		phar_obj->archive->alias = NULL;
 	}
@@ -2773,7 +2765,7 @@ PHP_METHOD(Phar, setAlias)
 	phar_flush(phar_obj->archive, &error);
 
 	if (error) {
-		pefree(phar_obj->archive->alias, phar_obj->archive->is_persistent);
+		efree(phar_obj->archive->alias);
 		phar_obj->archive->alias = oldalias;
 		phar_obj->archive->alias_len = oldalias_len;
 		phar_obj->archive->is_temporary_alias = old_temp;
@@ -4460,13 +4452,13 @@ PHP_METHOD(PharFileInfo, __construct)
 	phar_entry_object *entry_obj;
 	phar_entry_info *entry_info;
 	phar_archive_data *phar_data;
-	zval *zobj = ZEND_THIS, arg1;
+	zval arg1;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) {
 		RETURN_THROWS();
 	}
 
-	entry_obj = (phar_entry_object*)((char*)Z_OBJ_P(zobj) - Z_OBJ_P(zobj)->handlers->offset);
+	entry_obj = PHAR_FETCH_INTERNAL();
 
 	if (entry_obj->entry) {
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot call constructor twice");
@@ -4512,15 +4504,14 @@ PHP_METHOD(PharFileInfo, __construct)
 	ZVAL_STRINGL(&arg1, fname, fname_len);
 
 	zend_call_known_instance_method_with_1_params(spl_ce_SplFileInfo->constructor,
-		Z_OBJ_P(zobj), NULL, &arg1);
+		Z_OBJ_P(ZEND_THIS), NULL, &arg1);
 
 	zval_ptr_dtor(&arg1);
 }
 /* }}} */
 
 #define PHAR_ENTRY_OBJECT_EX(throw) \
-	zval *zobj = ZEND_THIS; \
-	phar_entry_object *entry_obj = (phar_entry_object*)((char*)Z_OBJ_P(zobj) - Z_OBJ_P(zobj)->handlers->offset); \
+	phar_entry_object *entry_obj = PHAR_FETCH_INTERNAL(); \
 	if (!entry_obj->entry) { \
 		if (throw) { \
 			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, \

diff --git a/ext/phar/zip.c b/ext/phar/zip.c
@@ -345,28 +345,6 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia
 	entry.is_zip = 1;
 	entry.fp_type = PHAR_FP;
 	entry.is_persistent = mydata->is_persistent;
-#define PHAR_ZIP_FAIL_FREE(errmsg, save) \
-			zend_hash_destroy(&mydata->manifest); \
-			HT_INVALIDATE(&mydata->manifest); \
-			zend_hash_destroy(&mydata->mounted_dirs); \
-			HT_INVALIDATE(&mydata->mounted_dirs); \
-			zend_hash_destroy(&mydata->virtual_dirs); \
-			HT_INVALIDATE(&mydata->virtual_dirs); \
-			php_stream_close(fp); \
-			phar_metadata_tracker_free(&mydata->metadata_tracker, mydata->is_persistent); \
-			if (mydata->signature) { \
-				efree(mydata->signature); \
-			} \
-			if (error) { \
-				spprintf(error, 4096, "phar error: %s in zip-based phar \"%s\"", errmsg, mydata->fname); \
-			} \
-			pefree(mydata->fname, mydata->is_persistent); \
-			if (mydata->alias) { \
-				pefree(mydata->alias, mydata->is_persistent); \
-			} \
-			pefree(mydata, mydata->is_persistent); \
-			efree(save); \
-			return FAILURE;
 #define PHAR_ZIP_FAIL(errmsg) \
 			zend_hash_destroy(&mydata->manifest); \
 			HT_INVALIDATE(&mydata->manifest); \
@@ -522,14 +500,13 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia
 			mydata->sig_flags = PHAR_GET_32(sig);
 			if (FAILURE == phar_verify_signature(sigfile, php_stream_tell(sigfile), mydata->sig_flags, sig + 8, entry.uncompressed_filesize - 8, fname, &mydata->signature, &sig_len, error)) {
 				efree(sig);
+				php_stream_close(sigfile);
 				if (error) {
-					char *save;
-					php_stream_close(sigfile);
-					spprintf(&save, 4096, "signature cannot be verified: %s", *error);
+					char errmsg[128];
+					snprintf(errmsg, sizeof(errmsg), "signature cannot be verified: %s", *error);
 					efree(*error);
-					PHAR_ZIP_FAIL_FREE(save, save);
+					PHAR_ZIP_FAIL(errmsg);
 				} else {
-					php_stream_close(sigfile);
 					PHAR_ZIP_FAIL("signature cannot be verified");
 				}
 			}