Conversation
There was a problem hiding this comment.
Pull request overview
Memory-safety focused changes in the PHP OAuth extension to fix leaks/double-frees identified during audit/valgrind runs, primarily around provider auth header parsing, callback registration error paths, and multipart request bookkeeping.
Changes:
- Fix leaked temporary buffers / zvals in
oauth_provider_parse_auth_header()and add cleanup on failure paths. - Fix callback registration allocation leaks on invalid callback type.
- Make multipart key/value storage own its strings (
estrdup) and add cleanup in both request teardown and object destructor; remove duplicate smart_string frees.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| provider.c | Adds missing frees/dtors in auth header parsing and frees callback allocations on invalid type. |
| oauth.c | Removes duplicate header frees; duplicates multipart strings and frees multipart allocations after curl and in object destructor. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Memory safety audit fixing 6 issues found via code review and verified with valgrind (
USE_ZEND_ALLOC=0):Double free in destructor (oauth.c) —
headers_inandheaders_outfreed twice inso_object_free_storage(). Removed duplicate frees.Dangling pointers in multipart storage (oauth.c) —
multipart_files[]andmultipart_params[]stored rawZ_STRVAL_P()/ZSTR_VAL()pointers without copying. Now usesestrdup()with proper per-elementefree()in cleanup.Invalid free of shifted multipart pointers (oauth.c) —
make_req_curl()mutated storedmultipart_params[i]pointers with++(to skip leading@), then cleanup calledefree()on the shifted (non-base) pointer. Now uses localparam_namevariable for the@chomp instead of mutating stored pointers.Multipart cleanup unreachable on exception (oauth.c) — Added multipart array cleanup to
so_object_free_storage()as a safety net for exception paths.Memory leak in provider auth header parsing (provider.c) —
estrndup()result never freed afterZVAL_STRINGLcopied it.s_auth_headerzend_string leaked on all paths. Fixed both, plus proper cleanup on FAILURE return.Memory leak in provider callback registration (provider.c) —
cbandcb->fcall_infoleaked on invalid callback type.