|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-05-11 16:16 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-05-12 05:16 UTC] laruence@php.net
[2016-05-12 05:16 UTC] laruence@php.net
-Status: Open
+Status: Closed
[2016-07-20 11:31 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu May 02 11:01:31 2024 UTC |
Description: ------------ This was tested on 32 bits. pg_pconnect/pg_connect seems to be freeing the value passed as string connection, but when this value it's an array value, this can still be referenced and causes use-after-free. In the sample $val is an empty array, but after calling pg_pconnect and other function (tempnam in this testcases) it will be invalid and overwritten with other values. From the script output 47464544, this comes from the GFED value in the tempnam call result. Test script: --------------- <?php $val = []; $var1 = $val; printf("%x\n", count($val)); @pg_pconnect($var1, "2", "3", "4"); $var1 = ""; tempnam('/tmp', 'ABCDEFGHI'); printf("%x\n", count($val)); Expected result: ---------------- 0 0 Actual result: -------------- 0 47464544 php: /home/user/php-7.0/Zend/zend_gc.c:226: gc_possible_root: Assertion `(ref)->gc.u.v.type == 7 || (ref)->gc.u.v.type == 8' failed. Aborted