php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47165 Possible memory corruption when passing return value by reference by
Submitted: 2009-01-20 11:14 UTC Modified: 2009-01-22 08:53 UTC
From: dmitry@php.net Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.8 OS: *
Private report: No CVE-ID:
 [2009-01-20 11:14 UTC] dmitry@php.net
Description:
------------
The following code cases a double free() and memory corruption

Reproduce code:
---------------
<?php
class Foo {
	var $bar = array();

	static function bar() {
		static $instance = null;
		$instance = new Foo();
		return $instance->bar;
	}
}
extract(Foo::bar());
echo "ok\n";
?>


Expected result:
----------------
ok

Actual result:
--------------
ok
[Tue Jan 20 14:11:52 2009]  Script:  't.php'
/home/dmitry/php/php5.2/Zend/zend_vm_execute.h(7581) :  Freeing 0x09EE74DC (16 bytes), script=t.php
[Tue Jan 20 14:11:52 2009]  Script:  't.php'
/home/dmitry/php/php5.2/Zend/zend_variables.h(45) :  Freeing 0x09EE9C6C (44 bytes), script=t.php
/home/dmitry/php/php5.2/Zend/zend_variables.c(132) : Actual location (location was relayed)
[Tue Jan 20 14:11:52 2009]  Script:  't.php'
/home/dmitry/php/php5.2/Zend/zend_variables.c(133) :  Freeing 0x09EE9D68 (32 bytes), script=t.php
/home/dmitry/php/php5.2/Zend/zend_alloc.c(2386) : Actual location (location was relayed)
=== Total 3 memory leaks detected ===


$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t.php 
==30559== Memcheck, a memory error detector.
==30559== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==30559== Using LibVEX rev 1804, a library for dynamic binary translation.
==30559== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==30559== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==30559== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==30559== For more details, rerun with: -v
==30559== 
ok
==30559== Invalid read of size 4
==30559==    at 0x8389C3E: _zval_ptr_dtor (zend_execute_API.c:412)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== Invalid write of size 4
==30559==    at 0x8389C44: _zval_ptr_dtor (zend_execute_API.c:412)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== Invalid read of size 4
==30559==    at 0x8389C4C: _zval_ptr_dtor (zend_execute_API.c:413)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== Invalid read of size 4
==30559==    at 0x8389CA6: _zval_ptr_dtor (zend_execute_API.c:416)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559==    by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559==    by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559==    by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559==    by 0x839ADD6: zend_deactivate (zend.c:860)
==30559==    by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559==    by 0x84222C3: main (php_cli.c:1314)
==30559==  Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559==    at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559==    by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559==    by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559==    by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559==    by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559==    by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559==    by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559==    by 0x83BD442: zend_objects_free_object_storage (zend_objects.c:122)
==30559==    by 0x83C1E33: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==30559==    by 0x83C1C7C: zend_objects_store_del_ref (zend_objects_API.c:168)
==30559==    by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559==    by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559== 
==30559== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 41 from 1)
==30559== malloc/free: in use at exit: 20,736 bytes in 1,349 blocks.
==30559== malloc/free: 16,443 allocs, 15,094 frees, 1,753,883 bytes allocated.
==30559== For counts of detected errors, rerun with: -v
==30559== searching for pointers to 1,349 not-freed blocks.
==30559== checked 1,027,500 bytes.
==30559== 
==30559== LEAK SUMMARY:
==30559==    definitely lost: 92 bytes in 3 blocks.
==30559==      possibly lost: 0 bytes in 0 blocks.
==30559==    still reachable: 20,644 bytes in 1,346 blocks.
==30559==         suppressed: 0 bytes in 0 blocks.
==30559== Rerun with --leak-check=full to see details of leaked memory.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-22 08:53 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 10:02:10 2014 UTC