zip: Fix name leaks when path length check fails in php_zip_pcre()

ndossche · ndossche · commit c4d4ceab2dc6 · 2026-06-07T11:01:09.000+02:00
The loop isn't continued, so the remaining names will not get freed if
we don't do an extra loop here.
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
@@ -790,7 +790,10 @@ int php_zip_pcre(zend_string *regexp, char *path, int path_len, zval *return_val
 			if ((path_len + namelist_len + 1) >= MAXPATHLEN) {
 				php_error_docref(NULL, E_WARNING, "add_path string too long (max: %u, %zu given)",
 						MAXPATHLEN - 1, (path_len + namelist_len + 1));
-				zend_string_release_ex(namelist[i], 0);
+				/* The loop isn't continued, so all remaining file names must get freed. */
+				for (; i < files_cnt; i++) {
+					zend_string_release_ex(namelist[i], false);
+				}
 				break;
 			}
 
