php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44446 Memory leak in php_exec
Submitted: 2008-03-16 15:59 UTC Modified: 2008-03-16 21:18 UTC
From: manuel at mausz dot at Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.6RC2 OS: Linux + Windows
Private report: No CVE-ID: None
View Developer Edit
 [2008-03-16 15:59 UTC] manuel at mausz dot at 
Description:
------------
There's a memory leak in php_exec. The escaped command never gets freed.

--- ./ext/standard/exec.c.orig  2008-03-16 16:52:08.000000000 +0100
+++ ./ext/standard/exec.c       2008-03-16 16:51:54.000000000 +0100
@@ -116,6 +116,7 @@
 #else
        fp = VCWD_POPEN(cmd_p, "r");
 #endif
+       efree(cmd_p);
        if (!fp) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
                goto err;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-16 16:19 UTC] manuel at mausz dot at 
That's the correct patch:

--- php-5.2.5/ext/standard/exec.c.orig  2008-03-16 17:15:28.000000000 +0100
+++ php-5.2.5/ext/standard/exec.c       2008-03-16 17:16:26.000000000 +0100
@@ -87,7 +87,7 @@
                efree(d);
                d = cmd_p;
        } else {
-               cmd_p = cmd;
+               cmd_p = estrdup(cmd);
        }

 #if PHP_SIGCHILD
@@ -99,6 +99,7 @@
 #else
        fp = VCWD_POPEN(cmd_p, "r");
 #endif
+       efree(cmd_p);
        if (!fp) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
                goto err;
 [2008-03-16 18:07 UTC] felipe@php.net 
Hello, you have a reprocuce script? 
I'm not see leak here.

We have:
if (...) {
	/* ... */
	cmd_p = php_escape_shell_cmd(d);
	efree(d);
	d = cmd_p;

} else {
	cmd_p = cmd;
}

and:
	if (d) {
		efree(d);
	}

Destined to free the escaped cmd.
 [2008-03-16 18:39 UTC] manuel at mausz dot at 
Hello,
sorry, you're right. I overlooked that free at the end.
But then d won't be freed if VCWD_POPEN fails and the code jumps to the "err"-label.

And no, I don't have a script. I just looked at the safe_mode_exec_dir code and found that issue.
 [2008-03-16 21:18 UTC] felipe@php.net 
It will be freed. 'err:' jumps to 'done:'.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 27 02:00:03 2025 UTC