ext/zip: memory leak when zip cancel callback bails out.

devnexen · devnexen · commit 1ea12af7929b · 2026-05-29T07:34:19.000+01:00
Fix #22176 A cancel callback that throws during the implicit zip_close() in the shutdown destructor triggers a zend_bailout that longjmps through libzip, skipping its free(filelist). Wrap the call in zend_try/zend_catch and cancel on bailout so libzip can unwind and clean up. While at it, apply the same guard to the progress callback, which is invoked from libzip the same way and is prone to the identical leak. close GH-22177
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
@@ -2910,7 +2910,10 @@ static void php_zip_progress_callback(zip_t *arch, double state, void *ptr)
 	ze_zip_object *obj = ptr;
 
 	ZVAL_DOUBLE(&cb_args[0], state);
-	zend_call_known_fcc(&obj->progress_callback, NULL, 1, cb_args, NULL);
+
+	zend_try {
+		zend_call_known_fcc(&obj->progress_callback, NULL, 1, cb_args, NULL);
+	} zend_end_try();
 }
 
 /* {{{ register a progression callback: void callback(double state); */
@@ -2957,7 +2960,13 @@ static int php_zip_cancel_callback(zip_t *arch, void *ptr)
 		return 0;
 	}
 
-	zend_call_known_fcc(&obj->cancel_callback, &cb_retval, 0, NULL, NULL);
+	zend_try {
+		zend_call_known_fcc(&obj->cancel_callback, &cb_retval, 0, NULL, NULL);
+	} zend_catch {
+		/* Cancel if a bailout occurs to allow cleanup to happen */
+		return -1;
+	} zend_end_try();
+
 	if (Z_ISUNDEF(cb_retval)) {
 		/* Cancel if an exception has been thrown */
 		return -1;
diff --git a/ext/zip/tests/gh22176.phpt b/ext/zip/tests/gh22176.phpt
@@ -0,0 +1,59 @@
+--TEST--
+GH-22176 (Memory leak when a ZipArchive cancel/progress callback bails out in the shutdown destructor)
+--EXTENSIONS--
+zip
+--SKIPIF--
+<?php
+if (!method_exists('ZipArchive', 'registerCancelCallback')) die('skip libzip too old');
+if (!method_exists('ZipArchive', 'registerProgressCallback')) die('skip libzip too old');
+?>
+--FILE--
+<?php
+$dir = __DIR__ . '/';
+
+$cancel = new ZipArchive;
+$cancel->open($dir . 'gh22176_cancel.zip', ZipArchive::CREATE);
+$cancel->registerCancelCallback(function () {
+    throw new \Exception('cancel boom');
+});
+$cancel->addFromString('test', 'test');
+
+$progress = new ZipArchive;
+$progress->open($dir . 'gh22176_progress.zip', ZipArchive::CREATE);
+$progress->registerProgressCallback(0.5, function ($r) {
+    throw new \Exception('progress boom');
+});
+$progress->addFromString('test', 'test');
+
+echo "done\n";
+// Both archives are flushed and the objects destroyed during request
+// shutdown; the thrown exceptions bail out through libzip's zip_close()
+// without leaking its internal state.
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/gh22176_cancel.zip');
+@unlink(__DIR__ . '/gh22176_progress.zip');
+?>
+--EXPECTF--
+done
+
+Fatal error: Uncaught Exception: progress boom in %s:%d
+Stack trace:
+#0 [internal function]: {closure:%s:%d}(0.0)
+#1 {main}
+  thrown in %s on line %d
+
+Fatal error: Uncaught Exception: progress boom in %s:%d
+Stack trace:
+#0 [internal function]: {closure:%s:%d}(1.0)
+#1 {main}
+  thrown in %s on line %d
+
+Fatal error: Uncaught Exception: cancel boom in %s:%d
+Stack trace:
+#0 [internal function]: {closure:%s:%d}()
+#1 {main}
+  thrown in %s on line %d
+
+Warning: PHP Request Shutdown: Cannot destroy the zip context: %s in Unknown on line 0
