fix: heap-use-after-free in php_brotli_decompress_read

[kjdev]

The read handler emalloc'd the input buffer on every call and efree'd it at the end, but self->ctx.next_in kept pointing into it across calls. On the next entry, when the decoder did not request more input, BrotliDecoderDecompressStream re-read the freed buffer. ASAN detects this via tests/streams_003.phpt through the copy() path.

Move the input buffer onto php_brotli_stream_data, allocate it lazily on first read, and free it in php_brotli_decompress_close. Also drop the now-pointless emalloc() NULL checks since Zend MM bails out on allocation failure.

Reported and patched by @ndossche.

Summary by CodeRabbit

• Chores
  • Improved Brotli decompression memory efficiency and robustness during large reads, reducing per-read allocations and improving performance.
• Tests
  • Added a runtime test that verifies correct compression/decompression behavior when reading with very large chunk sizes to prevent regressions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ccb878ad-708d-4bfc-9636-f939beef8786

📥 Commits

Reviewing files that changed from the base of the PR and between 1b2fc03 and 0efb752.

📒 Files selected for processing (2)

• brotli.c
• tests/streams_007.phpt

✅ Files skipped from review due to trivial changes (1)

• tests/streams_007.phpt

🚧 Files skipped from review as they are similar to previous changes (1)

• brotli.c

---

📝 Walkthrough

Walkthrough

Refactors the Brotli decompression stream to lazily allocate and persist an input buffer in the stream state, reuse it across read calls when the decoder requests more input, and free it on stream close. Adds a PHPT that exercises oversized-chunk decompression.

Changes

Decompression stream buffer optimization

Layer / File(s)	Summary
Persistent input buffer field brotli.c	php_brotli_stream_data struct extended with input_buf pointer to hold decompression input across read() invocations.
Decompression read logic refactor brotli.c	php_brotli_decompress_read refactored to lazily allocate and reuse input_buf: when decoder signals NEEDS_MORE_INPUT, bytes are read into the persistent buffer and reused on subsequent iterations instead of allocating a temporary per-call buffer.
Stream close cleanup brotli.c	php_brotli_stream_close_decompression now frees input_buf when present before final cleanup.
Oversized-chunk PHPT test tests/streams_007.phpt	New test writes a 1 MiB uncompressible payload via compress.brotli:// and reads it back with stream_set_chunk_size(1<<20) to validate decompression correctness when reads exceed the internal buffer.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• kjdev/php-ext-brotli#75: Also modifies php_brotli_decompress_read input buffer allocation and NEEDS_MORE_INPUT handling; overlaps at the decompression loop.

Poem

🐰 I dug a tiny burrow, neat and snug,
A buffer kept warm like a cozy rug,
Reused for every read,
Freed at stream's last deed,
Hops saved for memory, not one bug 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main fix: addressing a heap-use-after-free bug in the php_brotli_decompress_read function by refactoring buffer management.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/heap-use-after-free

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kjdev]

@ndossche Thanks again for the careful report and the patch.

For the record: I reproduced the UAF locally on master with tests/streams_003.phpt (copy() through compress.brotli://) under an ASAN-instrumented build of the extension (USE_ZEND_ALLOC=0 + LD_PRELOAD=libasan.so.8). The stack matched yours exactly — alloc at brotli.c:848, use at :894, free at :923.

Your patch is applied here as-is; after the fix, ASAN runs cleanly through all 48 tests with no regressions. Credit is in the commit message body.

On your meta question: a regular public PR is fine on this repo for memory-safety reports going forward — keeping the fix open helps downstream packagers pick it up. Of course, feel free to reach out privately first if you're ever unsure about a specific case.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@brotli.c`:
- Around line 904-906: The read into self->input_buf uses `count` which can
exceed the buffer allocation; change the read to limit its size to the buffer
(use `PHP_BROTLI_BUFFER_SIZE` or compute `min(count, PHP_BROTLI_BUFFER_SIZE)`)
so `self->ctx.available_in = php_stream_read(self->stream, self->input_buf,
<limited_size>);` and keep `self->ctx.next_in = self->input_buf;` unchanged;
ensure any loop that consumes `self->ctx.available_in` accounts for partial
fills when `count` > `PHP_BROTLI_BUFFER_SIZE`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2fcaa32e-13e5-4577-b4c3-65e74acd3fcc

📥 Commits

Reviewing files that changed from the base of the PR and between 415c2bd and 1b2fc03.

📒 Files selected for processing (1)

• brotli.c