Fix GH-14506: Closing a userspace stream inside a userspace handler causes heap corruption

nielsdos · nielsdos · commit 42d51588069d · 2025-06-08T11:52:35.000+02:00
Use the PHP_STREAM_FLAG_NO_FCLOSE flag to prevent closing a stream while
a handler is running. We already do this in some other places as well.
Only handlers that do something with the stream afterwards need changes.
diff --git a/main/streams/userspace.c b/main/streams/userspace.c
@@ -575,10 +575,16 @@ static ssize_t php_userstreamop_write(php_stream *stream, const char *buf, size_
 
 	ZVAL_STRINGL(&args[0], (char*)buf, count);
 
+	uint32_t orig_no_fclose = stream->flags & PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+
 	call_result = call_method_if_exists(&us->object, &func_name, &retval, 1, args);
 	zval_ptr_dtor(&args[0]);
 	zval_ptr_dtor(&func_name);
 
+	stream->flags &= ~PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= orig_no_fclose;
+
 	if (EG(exception)) {
 		return -1;
 	}
@@ -620,6 +626,9 @@ static ssize_t php_userstreamop_read(php_stream *stream, char *buf, size_t count
 
 	assert(us != NULL);
 
+	uint32_t orig_no_fclose = stream->flags & PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+
 	ZVAL_STRINGL(&func_name, USERSTREAM_READ, sizeof(USERSTREAM_READ)-1);
 
 	ZVAL_LONG(&args[0], count);
@@ -630,22 +639,22 @@ static ssize_t php_userstreamop_read(php_stream *stream, char *buf, size_t count
 	zval_ptr_dtor(&func_name);
 
 	if (EG(exception)) {
-		return -1;
+		goto err;
 	}
 
 	if (call_result == FAILURE) {
 		php_error_docref(NULL, E_WARNING, "%s::" USERSTREAM_READ " is not implemented!",
 				ZSTR_VAL(us->wrapper->ce->name));
-		return -1;
+		goto err;
 	}
 
 	if (Z_TYPE(retval) == IS_FALSE) {
-		return -1;
+		goto err;
 	}
 
 	if (!try_convert_to_string(&retval)) {
 		zval_ptr_dtor(&retval);
-		return -1;
+		goto err;
 	}
 
 	didread = Z_STRLEN(retval);
@@ -669,7 +678,7 @@ static ssize_t php_userstreamop_read(php_stream *stream, char *buf, size_t count
 
 	if (EG(exception)) {
 		stream->eof = 1;
-		return -1;
+		goto err;
 	}
 
 	if (call_result == SUCCESS && Z_TYPE(retval) != IS_UNDEF && zval_is_true(&retval)) {
@@ -684,7 +693,15 @@ static ssize_t php_userstreamop_read(php_stream *stream, char *buf, size_t count
 
 	zval_ptr_dtor(&retval);
 
+	stream->flags &= ~PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= orig_no_fclose;
+
 	return didread;
+
+err:
+	stream->flags &= ~PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= orig_no_fclose;
+	return -1;
 }
 
 static int php_userstreamop_close(php_stream *stream, int close_handle)
@@ -749,6 +766,9 @@ static int php_userstreamop_seek(php_stream *stream, zend_off_t offset, int when
 	ZVAL_LONG(&args[0], offset);
 	ZVAL_LONG(&args[1], whence);
 
+	uint32_t orig_no_fclose = stream->flags & PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+
 	call_result = call_method_if_exists(&us->object, &func_name, &retval, 2, args);
 
 	zval_ptr_dtor(&args[0]);
@@ -773,7 +793,7 @@ static int php_userstreamop_seek(php_stream *stream, zend_off_t offset, int when
 	ZVAL_UNDEF(&retval);
 
 	if (ret) {
-		return ret;
+		goto out;
 	}
 
 	/* now determine where we are */
@@ -793,6 +813,11 @@ static int php_userstreamop_seek(php_stream *stream, zend_off_t offset, int when
 
 	zval_ptr_dtor(&retval);
 	zval_ptr_dtor(&func_name);
+
+out:
+	stream->flags &= ~PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= orig_no_fclose;
+
 	return ret;
 }
 
@@ -1403,6 +1428,9 @@ static int php_userstreamop_cast(php_stream *stream, int castas, void **retptr)
 		break;
 	}
 
+	uint32_t orig_no_fclose = stream->flags & PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+
 	call_result = call_method_if_exists(&us->object, &func_name, &retval, 1, args);
 
 	do {
@@ -1439,6 +1467,9 @@ static int php_userstreamop_cast(php_stream *stream, int castas, void **retptr)
 	zval_ptr_dtor(&func_name);
 	zval_ptr_dtor(&args[0]);
 
+	stream->flags &= ~PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= orig_no_fclose;
+
 	return ret;
 }
 
