Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4:
  Fixed bug #54350

Author: nikic

ext/standard/tests/filters/bug54350.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #54350: Memory corruption with user_filter
+--FILE--
+<?php
+
+class user_filter extends php_user_filter {
+    function filter($in, $out, &$consumed, $closing): int {
+        while ($bucket = stream_bucket_make_writeable($in)) {
+        }
+        try {
+            fclose($this->stream);
+        } catch (TypeError $e) {
+            echo $e->getMessage(), "\n";
+        }
+        return 0;
+    }
+}
+stream_filter_register('user_filter','user_filter');
+$fd = fopen('php://memory','w');
+$filter = stream_filter_append($fd, 'user_filter');
+fwrite($fd, "foo");
+
+?>
+--EXPECTF--
+Warning: fclose(): 5 is not a valid stream resource in %s on line %d
+fclose(): supplied resource is not a valid stream resource

ext/standard/user_filters.c

@@ -169,6 +169,10 @@ php_stream_filter_status_t userfilter_filter(
 		return ret;
 	}
 
+	/* Make sure the stream is not closed while the filter callback executes. */
+	uint32_t orig_no_fclose = stream->flags & PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+
 	if (!zend_hash_str_exists_ind(Z_OBJPROP_P(obj), "stream", sizeof("stream")-1)) {
 		zval tmp;
 
@@ -245,6 +249,9 @@ php_stream_filter_status_t userfilter_filter(
 	zval_ptr_dtor(&args[1]);
 	zval_ptr_dtor(&args[0]);
 
+	stream->flags &= ~PHP_STREAM_FLAG_NO_FCLOSE;
+	stream->flags |= orig_no_fclose;
+
 	return ret;
 }