|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2007-07-11 21:38 UTC] tony2001@php.net
[2007-07-12 09:19 UTC] tony2001@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Nov 07 11:00:01 2025 UTC |
Description: ------------ Try the example with HEAD (5_2 seems immune) The example exploits that sort() needs its parameter to be passed by reference, which we don't do. zend_call_function() will bail out on this, and return FAILURE when called from call_user_func_array(). The first instruction of zend_call_function() is *fci->retval_ptr_ptr = NULL; with this we lose the original pointer and leak when zend_call_function() returns with FAILURE. In this case in call_user_func_array() new memory for return_value is allocated, which later is destructed. [23:55:29] andrey@lmy004:~/dev/php6> ./php -r '$a=array(4,3,2);call_user_func_array("sort", array($a));var_dump($a);' array(3) { [0]=> int(4) [1]=> int(3) [2]=> int(2) } [Wed Jul 11 23:55:32 2007] Script: '-' /home/andrey/dev/php6/Zend/zend_vm_execute.h(191) : Freeing 0x40D4C400 (16 bytes), script=- === Total 1 memory leaks detected === Reproduce code: --------------- php -r '$a=array(4,3,2);call_user_func_array("sort", array($a));var_dump($a);'