php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58526 Double free when zval is separated in convert_to_*
Submitted: 2009-01-28 18:54 UTC Modified: 2009-02-12 09:01 UTC
From: james82 at gmail dot com Assigned: mike (profile)
Status: Closed Package: pecl_http (PECL)
PHP Version: 5.2.5 OS: CentOS 5
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: james82 at gmail dot com
New email:
PHP Version: OS:

 

 [2009-01-28 18:54 UTC] james82 at gmail dot com
Description:
------------
pecl_http uses convert_to_* interface to convert variables 
between types. This interface "steals" the reference 
provided by the caller. When there are multiple references 
to the same variable, the convert_to_* interface separates 
the variable into two copies, so as to ensure that we only 
modify one of the references. This variable separation has 
two side effects:
  1) An extra copy of the variable is created. We should 
delete this copy when we are done with it.
  2) The variable separation decreased the reference count 
of our original variable.

We currently handle side effect #1, but we don't handle #2. 
This results in memory corruption and segfaults.



Reproduce code:
---------------
$o = array('ssl' => array('verifypeer'=>'1'));
$r = new HttpRequest('http://www.google.com');
$r->setOptions($o);
$r->send();

See http://www.cs.toronto.edu/~james/pecl-http-double-free-patch.txt for a possible patch for this issue. This patch should be reviewed carefully to make sure that, in fixing the double-free issue, it doesn't add any memory leaks.

Expected result:
----------------
No segfaults or double frees.

Actual result:
--------------
==19115== Invalid read of size 4
==19115==    at 0x5A52B7: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BC7C1: (within /usr/bin/php)
==19115==    by 0x5BCA37: zend_hash_graceful_reverse_destroy 
(in /usr/bin/php)
==19115==    by 0x5A59AA: shutdown_executor (in 
/usr/bin/php)
==19115==    by 0x5B20B1: zend_deactivate (in /usr/bin/php)
==19115==    by 0x56F89D: php_request_shutdown (in 
/usr/bin/php)
==19115==  Address 0xD09D810 is 16 bytes inside a block of 
size 24 free'd
==19115==    at 0x4C1E41E: free (vg_replace_malloc.c:233)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0xB138681: _http_request_object_free (in 
/usr/lib64/php/modules/http.so)
==19115==    by 0x5CFD89: 
zend_objects_store_del_ref_by_handle (in /usr/bin/php)
==19115==    by 0x5CFDBE: zend_objects_store_del_ref (in 
/usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==
==19115== Invalid read of size 4
==19115==    at 0x5A52BE: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BC7C1: (within /usr/bin/php)
==19115==    by 0x5BCA37: zend_hash_graceful_reverse_destroy 
(in /usr/bin/php)
==19115==    by 0x5A59AA: shutdown_executor (in 
/usr/bin/php)
==19115==    by 0x5B20B1: zend_deactivate (in /usr/bin/php)
==19115==    by 0x56F89D: php_request_shutdown (in 
/usr/bin/php)
==19115==  Address 0xD09D810 is 16 bytes inside a block of 
size 24 free'd
==19115==    at 0x4C1E41E: free (vg_replace_malloc.c:233)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0xB138681: _http_request_object_free (in 
/usr/lib64/php/modules/http.so)
==19115==    by 0x5CFD89: 
zend_objects_store_del_ref_by_handle (in /usr/bin/php)
==19115==    by 0x5CFDBE: zend_objects_store_del_ref (in 
/usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-12 09:01 UTC] mike@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Oct 27 08:03:36 2021 UTC