fix(zval): Heap corruption with persistent=true #424

kakserpom · kakserpom · commit 07491d128127 · 2025-12-20T14:53:42.000+07:00
diff --git a/src/types/zval.rs b/src/types/zval.rs
@@ -496,6 +496,21 @@ impl Zval {
     /// * `val` - The value to set the zval as.
     /// * `persistent` - Whether the string should persist between requests.
     ///
+    /// # Persistent Strings
+    ///
+    /// When `persistent` is `true`, the string is allocated from PHP's
+    /// persistent heap (using `malloc`) rather than the request-bound heap.
+    /// This is typically used for strings that need to survive across multiple
+    /// PHP requests, such as class names, function names, or module-level data.
+    ///
+    /// **Important:** The string will still be freed when the Zval is dropped.
+    /// The `persistent` flag only affects which memory allocator is used. If
+    /// you need a string to outlive the Zval, consider using
+    /// [`std::mem::forget`] on the Zval or storing the string elsewhere.
+    ///
+    /// For most use cases (return values, function arguments, temporary
+    /// storage), you should use `persistent: false`.
+    ///
     /// # Errors
     ///
     /// Never returns an error.
@@ -507,6 +522,9 @@ impl Zval {
 
     /// Sets the value of the zval as a Zend string.
     ///
+    /// The Zval takes ownership of the string. When the Zval is dropped,
+    /// the string will be released.
+    ///
     /// # Parameters
     ///
     /// * `val` - String content.
@@ -527,9 +545,13 @@ impl Zval {
         self.value.str_ = ptr;
     }
 
-    /// Sets the value of the zval as a interned string. Returns nothing in a
+    /// Sets the value of the zval as an interned string. Returns nothing in a
     /// result when successful.
     ///
+    /// Interned strings are stored once and are immutable. PHP stores them in
+    /// an internal hashtable. Unlike regular strings, interned strings are not
+    /// reference counted and should not be freed by `zval_ptr_dtor`.
+    ///
     /// # Parameters
     ///
     /// * `val` - The value to set the zval as.
@@ -540,7 +562,10 @@ impl Zval {
     /// Never returns an error.
     // TODO: Check if we can drop the result here.
     pub fn set_interned_string(&mut self, val: &str, persistent: bool) -> Result<()> {
-        self.set_zend_string(ZendStr::new_interned(val, persistent));
+        // Use InternedStringEx (without RefCounted) because interned strings
+        // should not have their refcount modified by zval_ptr_dtor.
+        self.change_type(ZvalTypeFlags::InternedStringEx);
+        self.value.str_ = ZendStr::new_interned(val, persistent).into_raw();
         Ok(())
     }
 
