PHP :: Bug #47165 :: Possible memory corruption when passing return value by reference by

Bug #47165	Possible memory corruption when passing return value by reference by
Submitted:	2009-01-20 11:14 UTC	Modified:	2009-01-22 08:53 UTC
From:	dmitry@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.2.8	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dmitry@php.net
New email:
PHP Version:		OS:

New Comment:

[2009-01-20 11:14 UTC] dmitry@php.net

Description:
------------
The following code cases a double free() and memory corruption

Reproduce code:
---------------
<?php
class Foo {
	var $bar = array();

	static function bar() {
		static $instance = null;
		$instance = new Foo();
		return $instance->bar;
	}
}
extract(Foo::bar());
echo "ok\n";
?>


Expected result:
----------------
ok

Actual result:
--------------
ok
[Tue Jan 20 14:11:52 2009]  Script:  't.php'
/home/dmitry/php/php5.2/Zend/zend_vm_execute.h(7581) :  Freeing 0x09EE74DC (16 bytes), script=t.php
[Tue Jan 20 14:11:52 2009]  Script:  't.php'
/home/dmitry/php/php5.2/Zend/zend_variables.h(45) :  Freeing 0x09EE9C6C (44 bytes), script=t.php
/home/dmitry/php/php5.2/Zend/zend_variables.c(132) : Actual location (location was relayed)
[Tue Jan 20 14:11:52 2009]  Script:  't.php'
/home/dmitry/php/php5.2/Zend/zend_variables.c(133) :  Freeing 0x09EE9D68 (32 bytes), script=t.php
/home/dmitry/php/php5.2/Zend/zend_alloc.c(2386) : Actual location (location was relayed)
=== Total 3 memory leaks detected ===


$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t.php 
==30559== Memcheck, a memory error detector.
==30559== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==30559== Using LibVEX rev 1804, a library for dynamic binary translation.
==30559== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==30559== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==30559== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==30559== For more details, rerun with: -v
==30559== 
ok
==30559== Invalid read of size 4
==30559==    at 0x8389C3E: _zval_ptr_dtor (zend_execute_API.c:412)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== Invalid write of size 4
==30559==    at 0x8389C44: _zval_ptr_dtor (zend_execute_API.c:412)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== Invalid read of size 4
==30559==    at 0x8389C4C: _zval_ptr_dtor (zend_execute_API.c:413)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== Invalid read of size 4
==30559==    at 0x8389CA6: _zval_ptr_dtor (zend_execute_API.c:416)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 41 from 1)
==30559== malloc/free: in use at exit: 20,736 bytes in 1,349 blocks.
==30559== malloc/free: 16,443 allocs, 15,094 frees, 1,753,883 bytes allocated.
==30559== For counts of detected errors, rerun with: -v
==30559== searching for pointers to 1,349 not-freed blocks.
==30559== checked 1,027,500 bytes.
==30559== 
==30559== LEAK SUMMARY:
==30559==    definitely lost: 92 bytes in 3 blocks.
==30559==      possibly lost: 0 bytes in 0 blocks.
==30559==    still reachable: 20,644 bytes in 1,346 blocks.
==30559==         suppressed: 0 bytes in 0 blocks.
==30559== Rerun with --leak-check=full to see details of leaked memory.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-01-22 08:53 UTC] dmitry@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC