PHP :: Bug #71778 :: zend_std_get_method() inconsistently increments the method

Bug #71778	zend_std_get_method() inconsistently increments the method_name refcount
Submitted:	2016-03-10 22:26 UTC	Modified:	2016-03-10 23:21 UTC
From:	aharvey@php.net	Assigned:
Status:	Not a bug	Package:	Scripting Engine problem
PHP Version:	7.0Git-2016-03-10 (Git)	OS:	Irrelevant
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2016-03-10 22:26 UTC] aharvey@php.net

Description:
------------
I'll file a PR for this shortly.

zend_std_get_method() doesn't increment the refcount on the given method_name zend_string (which is good) _except_ when the method is resolved via __call (which is bad). This is due to https://github.com/php/php-src/blob/741bfe3932de28c20f401cc7e0447fffb2bea7d6/Zend/zend_object_handlers.c#L1065-L1069, which calls zend_string_copy() in normal operation.

This makes it very easy to leak the string, since a possible pattern might be:

method_name = zend_string_init(name, name_len);
func = Z_OBJ_HT_P(obj)->get_method(&Z_OBJ_P(obj), method_name, NULL);
zend_string_release(method_name);

For non-__call classes, method_name is freed at this point. For __call classes, not so much. Obviously another option here is to use zend_string_free(), but I think it'd be considerably better if we just didn't ever increment the refcount.

Patches

Add a Patch

Pull Requests

Pull requests:

Always duplicate the method name in zend_get_call_trampoline_func(). (php-src/1798)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-10 23:21 UTC] aharvey@php.net

-Status: Open +Status: Not a bug

[2016-03-10 23:21 UTC] aharvey@php.net

Not a bug, per PR discussion with Nikita.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 20:01:29 2024 UTC