|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-05-11 16:16 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-05-12 05:16 UTC] laruence@php.net
[2016-05-12 05:16 UTC] laruence@php.net
-Status: Open
+Status: Closed
[2016-07-20 11:31 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Nov 07 08:00:02 2025 UTC |
Description: ------------ This was tested on 32 bits. pg_pconnect/pg_connect seems to be freeing the value passed as string connection, but when this value it's an array value, this can still be referenced and causes use-after-free. In the sample $val is an empty array, but after calling pg_pconnect and other function (tempnam in this testcases) it will be invalid and overwritten with other values. From the script output 47464544, this comes from the GFED value in the tempnam call result. Test script: --------------- <?php $val = []; $var1 = $val; printf("%x\n", count($val)); @pg_pconnect($var1, "2", "3", "4"); $var1 = ""; tempnam('/tmp', 'ABCDEFGHI'); printf("%x\n", count($val)); Expected result: ---------------- 0 0 Actual result: -------------- 0 47464544 php: /home/user/php-7.0/Zend/zend_gc.c:226: gc_possible_root: Assertion `(ref)->gc.u.v.type == 7 || (ref)->gc.u.v.type == 8' failed. Aborted