Fix GH-10755: Memory leak in phar_rename_archive()

Su, Tao · iluuu1994 · commit edae24313d6e · 2023-03-20T13:27:33.000+01:00
In phar_renmae_archive() context, added one reference but immediately destroyed another, so do not need to increase refcount. With removal of refcount++ line, PHP/Zend no longer reports memory leak. Updated bug69958.phpt test file accordingly. Closes GH-10856
diff --git a/NEWS b/NEWS
@@ -98,6 +98,9 @@ PHP                                                                        NEWS
   . pg_fetch_object raises a ValueError instead of an Exception.
     (David Carlier)
 
+- Phar:
+  . Fix memory leak in phar_rename_archive(). (stkeke)
+
 - Posix:
   . Added posix_sysconf. (David Carlier)
   . Added posix_pathconf. (David Carlier)
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -2113,10 +2113,12 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext) /*
 				pphar->flags = phar->flags;
 				pphar->fp = phar->fp;
 				phar->fp = NULL;
+				/* FIX: GH-10755 Double-free issue caught by ASAN check */
+				pphar->alias = phar->alias; /* Transfer alias to pphar to */
+				phar->alias = NULL;         /* avoid being free'd twice   */
 				phar_destroy_phar_data(phar);
 				*sphar = NULL;
 				phar = pphar;
-				phar->refcount++;
 				newpath = oldpath;
 				goto its_ok;
 			}
diff --git a/ext/phar/tests/bug69958.phpt b/ext/phar/tests/bug69958.phpt
@@ -1,7 +1,5 @@
 --TEST--
 Phar: bug #69958: Segfault in Phar::convertToData on invalid file
---XFAIL--
-Still has memory leaks, see https://bugs.php.net/bug.php?id=70005
 --EXTENSIONS--
 phar
 --FILE--
@@ -10,8 +8,8 @@ $tarphar = new PharData(__DIR__.'/bug69958.tar');
 $phar = $tarphar->convertToData(Phar::TAR);
 ?>
 --EXPECTF--
-Fatal error: Uncaught BadMethodCallException: phar "%s/bug69958.tar" exists and must be unlinked prior to conversion in %s/bug69958.php:%d
+Fatal error: Uncaught BadMethodCallException: phar "%sbug69958.tar" exists and must be unlinked prior to conversion in %sbug69958.php:%d
 Stack trace:
-#0 %s/bug69958.php(%d): PharData->convertToData(%d)
+#0 %sbug69958.php(%d): PharData->convertToData(%d)
 #1 {main}
-  thrown in %s/bug69958.php on line %d
+  thrown in %sbug69958.php on line %d
