php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68996 Invalid free of CG(interned_empty_string)
Submitted: 2015-02-06 15:58 UTC Modified: 2015-02-08 14:11 UTC
From: manuel-php at mausz dot at Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.6RC1 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2015-02-06 15:58 UTC] manuel-php at mausz dot at 
Description:
------------
If php_escape_html_entities fails CG(interned_empty_string) will be freed:

* If interned strings are enabled (default) STR_EMPTY_ALLOC is an alias for CG(interned_empty_string)
see https://github.com/php/php-src/blob/PHP-5.6/Zend/zend.h#L682

* php_escape_html_entities_ex returns STR_EMPTY_ALLOC in case of failure
see https://github.com/php/php-src/blob/PHP-5.6/ext/standard/html.c#L1307

* php_escape_html_entities is used in php_verror if display_errors is enabled
see https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L848

* Thus CG(interned_empty_string) gets freed
see https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L921

This issue is even worse when opcache is enabled.

Sample script:
fopen("\xfc\x63", "r");

https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L408:
wddx_serialize_value("\xfc\x63");

https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L633:
wddx_serialize_value([ "\xfc\x63" => "foo" ]);

https://github.com/php/php-src/blob/PHP-5.6/ext/soap/soap.c#L3997
https://github.com/php/php-src/blob/PHP-5.6/ext/soap/soap.c#L4022
(new SoapServer(NULL, [ "location" => "http://foo", "uri" => "http://foo" ]))->fault("\xfc\x63", "foo");

No issues (imho):
https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L790
https://github.com/php/php-src/blob/PHP-5.6/sapi/fpm/fpm/fpm_status.c#L421
https://github.com/php/php-src/blob/PHP-5.6/sapi/cli/php_cli_server.c#L1929
php_escape_html_entities calls in https://github.com/php/php-src/blob/PHP-5.6/info/info.c are safe too

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-06 16:03 UTC] manuel-php at mausz dot at 
PR: https://github.com/php/php-src/pull/1060
 [2015-02-07 17:57 UTC] manuel-php at mausz dot at 
Btw, I've just found an existing bug report covering the first invalid free: https://bugs.php.net/bug.php?id=68214
 [2015-02-07 18:06 UTC] manuel-php at mausz dot at 
Err, #68214 is another invalid free. Looks like main/main.c#L790 is an issue. Will update my PR in a minute.
 [2015-02-08 14:11 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-02-08 14:11 UTC] ab@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2015-02-11 11:26 UTC] ab@php.net 
Related To: Bug #68214
 [2015-02-11 14:30 UTC] ab@php.net 
Related To: Bug #69020
 [2015-02-19 20:36 UTC] ab@php.net 
Related To: Bug #69060
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 22 01:01:30 2024 UTC