php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68996 Invalid free of CG(interned_empty_string)
Submitted: 2015-02-06 15:58 UTC Modified: 2015-02-08 14:11 UTC
From: manuel-php at mausz dot at Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.6RC1 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: manuel-php at mausz dot at
New email:
PHP Version: OS:

 

 [2015-02-06 15:58 UTC] manuel-php at mausz dot at
Description:
------------
If php_escape_html_entities fails CG(interned_empty_string) will be freed:

* If interned strings are enabled (default) STR_EMPTY_ALLOC is an alias for CG(interned_empty_string)
see https://github.com/php/php-src/blob/PHP-5.6/Zend/zend.h#L682

* php_escape_html_entities_ex returns STR_EMPTY_ALLOC in case of failure
see https://github.com/php/php-src/blob/PHP-5.6/ext/standard/html.c#L1307

* php_escape_html_entities is used in php_verror if display_errors is enabled
see https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L848

* Thus CG(interned_empty_string) gets freed
see https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L921

This issue is even worse when opcache is enabled.

Sample script:
fopen("\xfc\x63", "r");

https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L408:
wddx_serialize_value("\xfc\x63");

https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L633:
wddx_serialize_value([ "\xfc\x63" => "foo" ]);

https://github.com/php/php-src/blob/PHP-5.6/ext/soap/soap.c#L3997
https://github.com/php/php-src/blob/PHP-5.6/ext/soap/soap.c#L4022
(new SoapServer(NULL, [ "location" => "http://foo", "uri" => "http://foo" ]))->fault("\xfc\x63", "foo");

No issues (imho):
https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L790
https://github.com/php/php-src/blob/PHP-5.6/sapi/fpm/fpm/fpm_status.c#L421
https://github.com/php/php-src/blob/PHP-5.6/sapi/cli/php_cli_server.c#L1929
php_escape_html_entities calls in https://github.com/php/php-src/blob/PHP-5.6/info/info.c are safe too


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-06 16:03 UTC] manuel-php at mausz dot at
PR: https://github.com/php/php-src/pull/1060
 [2015-02-07 17:57 UTC] manuel-php at mausz dot at
Btw, I've just found an existing bug report covering the first invalid free: https://bugs.php.net/bug.php?id=68214
 [2015-02-07 18:06 UTC] manuel-php at mausz dot at
Err, #68214 is another invalid free. Looks like main/main.c#L790 is an issue. Will update my PR in a minute.
 [2015-02-08 14:11 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-02-08 14:11 UTC] ab@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 25 11:01:33 2024 UTC