php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68996 Invalid free of CG(interned_empty_string)
Submitted: 2015-02-06 15:58 UTC Modified: 2015-02-08 14:11 UTC
From: manuel-php at mausz dot at Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.6RC1 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: manuel-php at mausz dot at
New email:
PHP Version: OS:

 

 [2015-02-06 15:58 UTC] manuel-php at mausz dot at 
Description:
------------
If php_escape_html_entities fails CG(interned_empty_string) will be freed:

* If interned strings are enabled (default) STR_EMPTY_ALLOC is an alias for CG(interned_empty_string)
see https://github.com/php/php-src/blob/PHP-5.6/Zend/zend.h#L682

* php_escape_html_entities_ex returns STR_EMPTY_ALLOC in case of failure
see https://github.com/php/php-src/blob/PHP-5.6/ext/standard/html.c#L1307

* php_escape_html_entities is used in php_verror if display_errors is enabled
see https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L848

* Thus CG(interned_empty_string) gets freed
see https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L921

This issue is even worse when opcache is enabled.

Sample script:
fopen("\xfc\x63", "r");

https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L408:
wddx_serialize_value("\xfc\x63");

https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L633:
wddx_serialize_value([ "\xfc\x63" => "foo" ]);

https://github.com/php/php-src/blob/PHP-5.6/ext/soap/soap.c#L3997
https://github.com/php/php-src/blob/PHP-5.6/ext/soap/soap.c#L4022
(new SoapServer(NULL, [ "location" => "http://foo", "uri" => "http://foo" ]))->fault("\xfc\x63", "foo");

No issues (imho):
https://github.com/php/php-src/blob/PHP-5.6/main/main.c#L790
https://github.com/php/php-src/blob/PHP-5.6/sapi/fpm/fpm/fpm_status.c#L421
https://github.com/php/php-src/blob/PHP-5.6/sapi/cli/php_cli_server.c#L1929
php_escape_html_entities calls in https://github.com/php/php-src/blob/PHP-5.6/info/info.c are safe too

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-06 16:03 UTC] manuel-php at mausz dot at 
PR: https://github.com/php/php-src/pull/1060
 [2015-02-07 17:57 UTC] manuel-php at mausz dot at 
Btw, I've just found an existing bug report covering the first invalid free: https://bugs.php.net/bug.php?id=68214
 [2015-02-07 18:06 UTC] manuel-php at mausz dot at 
Err, #68214 is another invalid free. Looks like main/main.c#L790 is an issue. Will update my PR in a minute.
 [2015-02-08 14:11 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-02-08 14:11 UTC] ab@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2015-02-11 11:26 UTC] ab@php.net 
Related To: Bug #68214
 [2015-02-11 14:30 UTC] ab@php.net 
Related To: Bug #69020
 [2015-02-19 20:36 UTC] ab@php.net 
Related To: Bug #69060
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 22 07:01:29 2024 UTC