php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68908 Invalid free in ext/opcache/zend_persist.c
Submitted: 2015-01-24 20:05 UTC Modified: 2015-01-24 23:33 UTC
From: bugreports at internot dot info Assigned:
Status: Not a bug Package: opcache
PHP Version: 5.5.21 OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-24 20:05 UTC] bugreports at internot dot info 
Description:
------------
Hi,

In /ext/opcache/zend_persist.c:


This is in a while() loop, so this is possible I think:



 82                        p->pData = &p->pDataPtr;



 79                        zend_accel_store(p->pData, el_size);

which frees p->pData, but it is a (void), which cannot hold memory.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-24 22:41 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2015-01-24 22:41 UTC] stas@php.net 
Could you please explain what you mean? " a (void), which cannot hold memory" doesn't make much sense to me, sorry - p->pData is a pointer, and I don't see any problem with it in either line 79 or line 82.
 [2015-01-24 23:16 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-24 23:16 UTC] bugreports at internot dot info 
&p->pDataPtr
is a non-heap object.
 [2015-01-24 23:33 UTC] stas@php.net
-Summary: Invalid free +Summary: Invalid free in ext/opcache/zend_persist.c -Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2015-01-24 23:33 UTC] stas@php.net 
But p is reset each loop iteration, so I don't see how the same p->pData from previous loop in line 82 can appear in line 79 in the next loop.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 12:01:30 2024 UTC