PHP :: Bug #41970 :: Zend Engine 3.0.0 leaks

Bug #41970	Zend Engine 3.0.0 leaks
Submitted:	2007-07-11 21:12 UTC	Modified:	2007-07-12 09:19 UTC
From:	php at hristov dot com	Assigned:	helly (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	6CVS-2007-07-11 (CVS)	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	php at hristov dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-07-11 21:12 UTC] php at hristov dot com

Description:
------------
Try the example with HEAD (5_2 seems immune)
The example exploits that sort() needs its parameter to be passed by reference, which we don't do. zend_call_function() will bail out on this, and return FAILURE when called from call_user_func_array().
The first instruction of zend_call_function() is 

   *fci->retval_ptr_ptr = NULL;

with this we lose the original pointer and leak when zend_call_function() returns with FAILURE. In this case in call_user_func_array() new memory for return_value is allocated, which later is destructed.

[23:55:29] andrey@lmy004:~/dev/php6> ./php -r '$a=array(4,3,2);call_user_func_array("sort", array($a));var_dump($a);'
array(3) {
  [0]=>
  int(4)
  [1]=>
  int(3)
  [2]=>
  int(2)
}
[Wed Jul 11 23:55:32 2007]  Script:  '-'
/home/andrey/dev/php6/Zend/zend_vm_execute.h(191) :  Freeing 0x40D4C400 (16 bytes), script=-
=== Total 1 memory leaks detected ===


Reproduce code:
---------------
php -r '$a=array(4,3,2);call_user_func_array("sort", array($a));var_dump($a);'

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-07-11 21:38 UTC] tony2001@php.net

Marcus, please take a look at it.
A patch like this: http://dev.daylessday.org/diff/bug41970.diff
fixes it for me, similar patches should be applied to other call_user*() funcs of course. 
Though I would really like to see a cleaner solution for it.
Can you think of any?

[2007-07-12 09:19 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 16 17:01:37 2024 UTC