|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70161 Double free or Use-After Free in PDO::sqliteCreateAggregate
Submitted: 2015-07-28 19:41 UTC Modified: 2017-10-20 19:02 UTC
Avg. Score:2.0 ± 1.0
Reproduced:0 of 1 (0.0%)
From: aebrahim722 at yahoo dot com Assigned:
Status: Not a bug Package: PDO SQLite
PHP Version: 7.0.0beta2 OS: Linux Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: aebrahim722 at yahoo dot com
New email:
PHP Version: OS:


 [2015-07-28 19:41 UTC] aebrahim722 at yahoo dot com

'cbname' is being freed from memory twice in PDO::sqliteCreateAggregate.

Proof of concept:

Expected result:
Freed only one time.

Actual result:
Freed twice => possible memory corruption.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-28 20:00 UTC]
-Status: Open +Status: Feedback
 [2015-07-28 20:00 UTC]
Do you have a reproducer please?

 [2015-07-28 20:53 UTC]
From the code, I see no possibility of double free there, but zend_str_release may possibly be called on null if zend_is_callable() does not initialize called_name. I could not find a codepath that does not initialize (bad object in zend_is_callable_ex does it but zend_is_callable does not pass an object to zend_is_callable_ex) but it may happen, now or on the future, so adding null check may be a good idea.
 [2015-07-28 20:53 UTC]
-Status: Feedback +Status: Open -Type: Security +Type: Bug
 [2015-07-28 20:54 UTC]
-Assigned To: +Assigned To: iliaa
 [2015-07-28 21:01 UTC] aebrahim722 at yahoo dot com

Can you please explain how double free is not possible?

Kind regards.
 [2015-07-29 05:44 UTC]
@aebrahim722 Yeah, that was my point to ask for the reproduces. Actually it should be seen this way

So it would be nice to have a repro code, otherwise looks like no issue here.


 [2017-10-20 18:39 UTC]
-Status: Assigned +Status: Open -Assigned To: iliaa +Assigned To:
 [2017-10-20 18:39 UTC]
Unassigning as Ilia is not currently active
 [2017-10-20 19:02 UTC]
-Status: Open +Status: Not a bug
 [2017-10-20 19:02 UTC]
I agree with the previous commenters. The code doesn't read as problematic and seems in line with other uses of zend_is_callable.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Mar 04 16:01:29 2024 UTC