|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-04-19 11:13 UTC] cmb@php.net
-Status: Open
+Status: Feedback
-Assigned To:
+Assigned To: cmb
[2021-04-19 11:13 UTC] cmb@php.net
[2021-04-20 03:00 UTC] lylgood at foxmail dot com
-Status: Feedback
+Status: Assigned
[2021-04-20 03:00 UTC] lylgood at foxmail dot com
[2021-04-20 10:31 UTC] cmb@php.net
-Summary: A potential use after free bug in
ext/standard/browscap.c
+Summary: Fishy code in ext/standard/browscap.c
-Status: Assigned
+Status: Open
-Assigned To: cmb
+Assigned To:
[2021-04-20 10:31 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Dec 22 01:01:30 2024 UTC |
Description: ------------ File: ext/standard/browscap.c Bug Function: php_browscap_parser_cb In function php_browscap_parser_cb, pattern is re-assigned by pattern = zend_new_interned_string() at line 368. Then if ZSTR_IS_INTERNED(pattern) is false, pattern will be freed via zend_string_release(pattern) at line 372. But after that, pattern is still used at line 378 by zend_hash_update_ptr(bdata->htab, pattern, entry), which is a use after free bug. Test script: --------------- if (persistent) { 368: pattern = zend_new_interned_string(zend_string_copy(pattern)); if (ZSTR_IS_INTERNED(pattern)) { Z_TYPE_FLAGS_P(arg1) = 0; } else { 372: zend_string_release(pattern); //pattern could be freed ! } } ... 378: zend_hash_update_ptr(bdata->htab, pattern, entry);//freed pattern is used !