php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75867 Freeing uninitialized pointer
Submitted: 2018-01-24 02:51 UTC Modified: 2018-02-24 22:29 UTC
From: mike at flyn dot org Assigned: cmb (profile)
Status: Closed Package: ICONV related
PHP Version: 7.2.1 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mike at flyn dot org
New email:
PHP Version: OS:

 

 [2018-01-24 02:51 UTC] mike at flyn dot org 
Description:
------------
In iconv.c, it is possible that out_buffer might be free'd without every having been made to point to a valid heap address. This is because stack variables are not implicitly initialized, and php_iconv_string might fail, thus never initializing &out_buffer.

See the attached patch.

Patches

php_iconv_string-out-pointer-initialize (last revision 2018-01-24 03:15 UTC by philipp at redfish-solutions dot com)
fix-initialization.patch (last revision 2018-01-24 02:51 UTC by mike at flyn dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-24 03:19 UTC] philipp at redfish-solutions dot com 
One path through the conditional code of php_iconv_string() NULL's the pointer *out.  The other path doesn't.  This seems broken, or at the very least, extremely risky.

NULL it out on either path so that if we bail early on an error condition, it's consistently set the same.
 [2018-02-24 22:29 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2018-02-24 22:29 UTC] cmb@php.net 
This issue has been resolved by merging
<https://github.com/php/php-src/pull/3037>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC