|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68996 Invalid free of CG(interned_empty_string)
Submitted: 2015-02-06 15:58 UTC Modified: 2015-02-08 14:11 UTC
From: manuel-php at mausz dot at Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.6RC1 OS:
Private report: No CVE-ID: None
 [2015-02-06 15:58 UTC] manuel-php at mausz dot at
If php_escape_html_entities fails CG(interned_empty_string) will be freed:

* If interned strings are enabled (default) STR_EMPTY_ALLOC is an alias for CG(interned_empty_string)

* php_escape_html_entities_ex returns STR_EMPTY_ALLOC in case of failure

* php_escape_html_entities is used in php_verror if display_errors is enabled

* Thus CG(interned_empty_string) gets freed

This issue is even worse when opcache is enabled.

Sample script:
fopen("\xfc\x63", "r");
wddx_serialize_value([ "\xfc\x63" => "foo" ]);
(new SoapServer(NULL, [ "location" => "http://foo", "uri" => "http://foo" ]))->fault("\xfc\x63", "foo");

No issues (imho):
php_escape_html_entities calls in are safe too


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-06 16:03 UTC] manuel-php at mausz dot at
 [2015-02-07 17:57 UTC] manuel-php at mausz dot at
Btw, I've just found an existing bug report covering the first invalid free:
 [2015-02-07 18:06 UTC] manuel-php at mausz dot at
Err, #68214 is another invalid free. Looks like main/main.c#L790 is an issue. Will update my PR in a minute.
 [2015-02-08 14:11 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-02-08 14:11 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Dec 10 17:01:26 2023 UTC