From dadc2222d63240395a314a6c600b8230a752af22 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 10 Apr 2026 06:05:44 +0100 Subject: [PATCH 1/2] Fix GH-21698: memory leak in ZipArchive::addGlob on early returns. globfree was not called on the no-matches path and on the open_basedir reject path, leaking the glob_t contents populated by a successful glob() call. --- ext/zip/php_zip.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 75ae4aa91913f..d25cfe04326f7 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -675,12 +675,14 @@ int php_zip_glob(char *pattern, int pattern_len, zend_long flags, zval *return_v /* now catch the FreeBSD style of "no matches" */ if (!globbuf.gl_pathc || !globbuf.gl_pathv) { + globfree(&globbuf); return 0; } /* we assume that any glob pattern will match files from one directory only so checking the dirname of the first match should be sufficient */ if (ZIP_OPENBASEDIR_CHECKPATH(globbuf.gl_pathv[0])) { + globfree(&globbuf); return -1; } From 632e88a301ce82cc0b5ca583ddb428cf419d3cd0 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 10 Apr 2026 06:14:21 +0100 Subject: [PATCH 2/2] add test --- ext/zip/tests/gh21698.phpt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 ext/zip/tests/gh21698.phpt diff --git a/ext/zip/tests/gh21698.phpt b/ext/zip/tests/gh21698.phpt new file mode 100644 index 0000000000000..d77b2152e72fe --- /dev/null +++ b/ext/zip/tests/gh21698.phpt @@ -0,0 +1,21 @@ +--TEST-- +GH-21698 (ZipArchive::addGlob memory leak when open_basedir rejects the match) +--EXTENSIONS-- +zip +--FILE-- +open($zipfile, ZipArchive::CREATE | ZipArchive::OVERWRITE); + +ini_set('open_basedir', '/nonexistent_dir_for_gh21698'); +var_dump($zip->addGlob(__FILE__, 0, [])); +$zip->close(); +?> +--CLEAN-- + +--EXPECTF-- +Warning: ZipArchive::addGlob(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (%s) in %s on line %d +bool(false)