PHP :: Bug #44446 :: Memory leak in php

Bug #44446	Memory leak in php_exec
Submitted:	2008-03-16 15:59 UTC	Modified:	2008-03-16 21:18 UTC
From:	manuel at mausz dot at	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	5.2.6RC2	OS:	Linux + Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	manuel at mausz dot at
New email:
PHP Version:		OS:

New Comment:

[2008-03-16 15:59 UTC] manuel at mausz dot at

Description:
------------
There's a memory leak in php_exec. The escaped command never gets freed.

--- ./ext/standard/exec.c.orig  2008-03-16 16:52:08.000000000 +0100
+++ ./ext/standard/exec.c       2008-03-16 16:51:54.000000000 +0100
@@ -116,6 +116,7 @@
 #else
        fp = VCWD_POPEN(cmd_p, "r");
 #endif
+       efree(cmd_p);
        if (!fp) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
                goto err;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-16 16:19 UTC] manuel at mausz dot at

That's the correct patch:

--- php-5.2.5/ext/standard/exec.c.orig  2008-03-16 17:15:28.000000000 +0100
+++ php-5.2.5/ext/standard/exec.c       2008-03-16 17:16:26.000000000 +0100
@@ -87,7 +87,7 @@
                efree(d);
                d = cmd_p;
        } else {
-               cmd_p = cmd;
+               cmd_p = estrdup(cmd);
        }

 #if PHP_SIGCHILD
@@ -99,6 +99,7 @@
 #else
        fp = VCWD_POPEN(cmd_p, "r");
 #endif
+       efree(cmd_p);
        if (!fp) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
                goto err;

[2008-03-16 18:07 UTC] felipe@php.net

Hello, you have a reprocuce script? 
I'm not see leak here.

We have:
if (...) {
	/* ... */
	cmd_p = php_escape_shell_cmd(d);
	efree(d);
	d = cmd_p;

} else {
	cmd_p = cmd;
}

and:
	if (d) {
		efree(d);
	}

Destined to free the escaped cmd.

[2008-03-16 18:39 UTC] manuel at mausz dot at

Hello,
sorry, you're right. I overlooked that free at the end.
But then d won't be freed if VCWD_POPEN fails and the code jumps to the "err"-label.

And no, I don't have a script. I just looked at the safe_mode_exec_dir code and found that issue.

[2008-03-16 21:18 UTC] felipe@php.net

It will be freed. 'err:' jumps to 'done:'.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 27 10:00:02 2025 UTC