Merge branch 'PHP-7.3' into PHP-7.4

nikic · nikic · commit 66d9f4d9855b · 2020-08-11T10:35:25.000+02:00
* PHP-7.3:
  Fixed bug #79951
diff --git a/NEWS b/NEWS
@@ -29,6 +29,7 @@ PHP                                                                        NEWS
   . Fixed bug #79930 (array_merge_recursive() crashes when called with array
     with single reference). (Nikita)
   . Fixed bug #79944 (getmxrr always returns true on Alpine linux). (Nikita)
+  . Fixed bug #79951 (Memory leak in str_replace of empty string). (Nikita)
 
 - XML:
   . Fixed bug #79922 (Crash after multiple calls to xml_parser_free()). (cmb)
diff --git a/ext/standard/string.c b/ext/standard/string.c
@@ -4357,12 +4357,9 @@ PHPAPI void php_stripslashes(zend_string *str)
  */
 static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *subject, zval *result, int case_sensitivity)
 {
-	zval		*search_entry,
-				*replace_entry = NULL;
+	zval		*search_entry;
 	zend_string	*tmp_result,
-	            *tmp_subject_str,
-	            *tmp_replace_entry_str = NULL,
-				*replace_entry_str;
+	            *tmp_subject_str;
 	char		*replace_value = NULL;
 	size_t		 replace_len = 0;
 	zend_long	 replace_count = 0;
@@ -4396,10 +4393,12 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *s
 			/* Make sure we're dealing with strings. */
 			zend_string *tmp_search_str;
 			zend_string *search_str = zval_get_tmp_string(search_entry, &tmp_search_str);
+			zend_string *replace_entry_str, *tmp_replace_entry_str = NULL;
 
 			/* If replace is an array. */
 			if (Z_TYPE_P(replace) == IS_ARRAY) {
 				/* Get current entry */
+				zval *replace_entry = NULL;
 				while (replace_idx < Z_ARRVAL_P(replace)->nNumUsed) {
 					replace_entry = &Z_ARRVAL_P(replace)->arData[replace_idx].val;
 					if (Z_TYPE_P(replace_entry) != IS_UNDEF) {
@@ -4456,15 +4455,12 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *s
 				}
 			} else {
 				zend_tmp_string_release(tmp_search_str);
+				zend_tmp_string_release(tmp_replace_entry_str);
 				continue;
 			}
 
 			zend_tmp_string_release(tmp_search_str);
-
-			if (tmp_replace_entry_str) {
-				zend_string_release_ex(tmp_replace_entry_str, 0);
-				tmp_replace_entry_str = NULL;
-			}
+			zend_tmp_string_release(tmp_replace_entry_str);
 
 			if (subject_str == tmp_result) {
 				zend_string_delref(subject_str);
diff --git a/ext/standard/tests/strings/bug79951.phpt b/ext/standard/tests/strings/bug79951.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #79951: Memory leak in str_replace of empty string
+--FILE--
+<?php
+
+var_dump(str_replace([""], [1000], "foo"));
+
+?>
+--EXPECT--
+string(3) "foo"
