PHP :: Bug #58526 :: Double free when zval is separated in convert_to

Bug #58526	Double free when zval is separated in convert_to_*
Submitted:	2009-01-28 18:54 UTC	Modified:	2009-02-12 09:01 UTC
From:	james82 at gmail dot com	Assigned:	mike (profile)
Status:	Closed	Package:	pecl_http (PECL)
PHP Version:	5.2.5	OS:	CentOS 5
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	james82 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-01-28 18:54 UTC] james82 at gmail dot com

Description:
------------
pecl_http uses convert_to_* interface to convert variables 
between types. This interface "steals" the reference 
provided by the caller. When there are multiple references 
to the same variable, the convert_to_* interface separates 
the variable into two copies, so as to ensure that we only 
modify one of the references. This variable separation has 
two side effects:
  1) An extra copy of the variable is created. We should 
delete this copy when we are done with it.
  2) The variable separation decreased the reference count 
of our original variable.

We currently handle side effect #1, but we don't handle #2. 
This results in memory corruption and segfaults.



Reproduce code:
---------------
$o = array('ssl' => array('verifypeer'=>'1'));
$r = new HttpRequest('http://www.google.com');
$r->setOptions($o);
$r->send();

See http://www.cs.toronto.edu/~james/pecl-http-double-free-patch.txt for a possible patch for this issue. This patch should be reviewed carefully to make sure that, in fixing the double-free issue, it doesn't add any memory leaks.

Expected result:
----------------
No segfaults or double frees.

Actual result:
--------------
==19115== Invalid read of size 4
==19115==    at 0x5A52B7: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BC7C1: (within /usr/bin/php)
==19115==    by 0x5BCA37: zend_hash_graceful_reverse_destroy 
(in /usr/bin/php)
==19115==    by 0x5A59AA: shutdown_executor (in 
/usr/bin/php)
==19115==    by 0x5B20B1: zend_deactivate (in /usr/bin/php)
==19115==    by 0x56F89D: php_request_shutdown (in 
/usr/bin/php)
==19115==  Address 0xD09D810 is 16 bytes inside a block of 
size 24 free'd
==19115==    at 0x4C1E41E: free (vg_replace_malloc.c:233)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0xB138681: _http_request_object_free (in 
/usr/lib64/php/modules/http.so)
==19115==    by 0x5CFD89: 
zend_objects_store_del_ref_by_handle (in /usr/bin/php)
==19115==    by 0x5CFDBE: zend_objects_store_del_ref (in 
/usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==
==19115== Invalid read of size 4
==19115==    at 0x5A52BE: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BC7C1: (within /usr/bin/php)
==19115==    by 0x5BCA37: zend_hash_graceful_reverse_destroy 
(in /usr/bin/php)
==19115==    by 0x5A59AA: shutdown_executor (in 
/usr/bin/php)
==19115==    by 0x5B20B1: zend_deactivate (in /usr/bin/php)
==19115==    by 0x56F89D: php_request_shutdown (in 
/usr/bin/php)
==19115==  Address 0xD09D810 is 16 bytes inside a block of 
size 24 free'd
==19115==    at 0x4C1E41E: free (vg_replace_malloc.c:233)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0x5B1A8E: _zval_dtor_func (in /usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)
==19115==    by 0x5BCAD7: zend_hash_destroy (in 
/usr/bin/php)
==19115==    by 0xB138681: _http_request_object_free (in 
/usr/lib64/php/modules/http.so)
==19115==    by 0x5CFD89: 
zend_objects_store_del_ref_by_handle (in /usr/bin/php)
==19115==    by 0x5CFDBE: zend_objects_store_del_ref (in 
/usr/bin/php)
==19115==    by 0x5A52F5: _zval_ptr_dtor (in /usr/bin/php)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-02-12 09:01 UTC] mike@php.net

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 21:01:36 2024 UTC