php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59537 Patch: memory leaks and handle zero-terminated keys
Submitted: 2010-12-10 05:20 UTC Modified: 2014-05-11 14:00 UTC
From: strube at physik3 dot gwdg dot de Assigned: gasolwu (profile)
Status: Closed Package: yp (PECL)
PHP Version: Irrelevant OS: Solaris, Linux
Private report: No CVE-ID: None
 [2010-12-10 05:20 UTC] strube at physik3 dot gwdg dot de
Description:
------------
Version: yp-0.1.0-dev
The PHP functions yp_match, yp_first, yp_next do not free the pointer variables outval and outkey, set by the OS functions of the same names as the PHP functions. These pointers should be freed on returning from the PHP functions.
(Well, for a few calls in CGI mode this may be irrelevant, but not in FastCGI or mod_php modes.)
Also, some maps (e.g., mail.aliases) may contain keys ending in a zero byte. These should be handled in yp_match by trying a second call to the OS function yp_match with a key length incremented by one (as does the OS command "ypmatch", see code of ypmatch.c from [e.g.] OpenSolaris).
A patch for yp.c is given below (output of diff -u).

Reproduce code:
---------------
--- yp.c.orig	Tue Dec  9 12:09:19 2008
+++ yp.c	Fri Dec 10 10:33:28 2010
@@ -146,7 +146,7 @@
 PHP_FUNCTION(yp_match)
 {
 	pval **domain, **map, **key;
-	char *outval;
+	char *outval=NULL;
 	int outvallen;
 
 	if((ZEND_NUM_ARGS() != 3) || zend_get_parameters_ex(3,&domain,&map,&key) == FAILURE) {
@@ -157,12 +157,22 @@
 	convert_to_string_ex(map);
 	convert_to_string_ex(key);
 
-	if((YP(error) = yp_match(Z_STRVAL_PP (domain), Z_STRVAL_PP (map), Z_STRVAL_PP (key), Z_STRLEN_PP (key), &outval, &outvallen))) {
+	YP(error) = yp_match(Z_STRVAL_PP (domain), Z_STRVAL_PP (map), Z_STRVAL_PP (key), Z_STRLEN_PP (key), &outval, &outvallen);
+	if(YP(error) == YPERR_KEY) {
+	    if(outval != NULL) {
+		free(outval);
+		outval = NULL;
+	    }
+	    YP(error) = yp_match(Z_STRVAL_PP (domain), Z_STRVAL_PP (map), Z_STRVAL_PP (key), Z_STRLEN_PP (key)+1, &outval, &outvallen);
+	}
+	if(YP(error)) {
+		if(outval != NULL) free(outval);
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", yperr_string (YP(error)));
 		RETURN_FALSE;
 	}
 
 	RETVAL_STRINGL(outval,outvallen,1);
+	free(outval);
 }
 /* }}} */
 
@@ -171,7 +181,7 @@
 PHP_FUNCTION(yp_first)
 {
 	pval **domain, **map;
-	char *outval, *outkey;
+	char *outval=NULL, *outkey=NULL;
 	int outvallen, outkeylen;
 
 	if((ZEND_NUM_ARGS() != 2) || zend_get_parameters_ex(2,&domain,&map) == FAILURE) {
@@ -182,6 +192,8 @@
 	convert_to_string_ex(map);
 
 	if((YP(error) = yp_first(Z_STRVAL_PP (domain), Z_STRVAL_PP (map), &outkey, &outkeylen, &outval, &outvallen))) {
+		if(outval != NULL) free(outval);
+		if(outkey != NULL) free(outkey);
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", yperr_string (YP(error)));
 		RETURN_FALSE;
 	}
@@ -191,6 +203,8 @@
 	/* Deprecated */
 	add_assoc_stringl(return_value,"key",outkey,outkeylen,1);
 	add_assoc_stringl(return_value,"value",outval,outvallen,1);
+	free(outval);
+	free(outkey);
 }
 /* }}} */
 
@@ -199,7 +213,7 @@
 PHP_FUNCTION(yp_next)
 {
 	pval **domain, **map, **key;
-	char *outval, *outkey;
+	char *outval=NULL, *outkey=NULL;
 	int outvallen, outkeylen;
 
 	if((ZEND_NUM_ARGS() != 3) || zend_get_parameters_ex(3,&domain,&map,&key) == FAILURE) {
@@ -211,6 +225,8 @@
 	convert_to_string_ex(key);
 
 	if((YP(error) = yp_next(Z_STRVAL_PP (domain), Z_STRVAL_PP (map), Z_STRVAL_PP (key), Z_STRLEN_PP (key), &outkey, &outkeylen, &outval, &outvallen))) {
+		if(outval != NULL) free(outval);
+		if(outkey != NULL) free(outkey);
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", yperr_string (YP(error)));
 		RETURN_FALSE;
 	}
@@ -217,6 +233,8 @@
 	
 	array_init(return_value);
 	add_assoc_stringl_ex(return_value,outkey,outkeylen+1,outval,outvallen,1);
+	free(outval);
+	free(outkey);
 }
 /* }}} */
 



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-23 08:26 UTC] gasolwu@php.net
-Assigned To: +Assigned To: gasolwu
 [2014-05-11 14:00 UTC] gasolwu@php.net
-Status: Assigned +Status: Closed
 [2014-05-11 14:00 UTC] gasolwu@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Dec 05 22:01:23 2020 UTC