php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72827 Uninitialized value and memory leaks in php_openssl_enable_crypto
Submitted: 2016-08-13 10:50 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: cmb@php.net Assigned:
Status: Open Package: OpenSSL related
PHP Version: 5.6Git-2016-08-13 (Git) OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-08-13 10:50 UTC] cmb@php.net
Description:
------------
This is a follow-up on bug #62523.

When running the supplied reproduce script with valgrind, two
issues are reported:

- Conditional jump or move depends on uninitialised value(s)

  That is about cert_captured, which is not initialized in this
  case, but is nonetheless used in an if condition[1].
 
- Memory leaks
 
[1] <https://github.com/php/php-src/blob/PHP-5.6.24/ext/openssl/xp_ssl.c#L1791>


Test script:
---------------
USE_ZEND_ALLOC=0 valgrind php -r "exif_read_data('http://dl.dropbox.dom/u/7562584/Bugs/Php/bad_exif.jpeg');"


Expected result:
----------------
no valgrind complaints

Actual result:
--------------
==28829== Memcheck, a memory error detector
==28829== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==28829== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==28829== Command: sapi/cli/php -n -r exif_read_data('http://dl.dropbox.com/u/7562584/Bugs/Php/bad_exif.jpeg');
==28829==
==28829== Conditional jump or move depends on uninitialised value(s)
==28829==    at 0x47E9B3: php_openssl_enable_crypto (xp_ssl.c:1791)
==28829==    by 0x47F8F8: php_openssl_sockop_set_option (xp_ssl.c:2223)
==28829==    by 0x5EB992: _php_stream_set_option (streams.c:1357)
==28829==    by 0x5FB382: php_stream_xport_crypto_enable (transports.c:384)
==28829==    by 0x47F9AF: php_openssl_sockop_set_option (xp_ssl.c:2248)
==28829==    by 0x5EB992: _php_stream_set_option (streams.c:1357)
==28829==    by 0x5FAF16: php_stream_xport_connect (transports.c:243)
==28829==    by 0x5FA9C3: _php_stream_xport_create (transports.c:143)
==28829==    by 0x5ADA25: php_stream_url_wrap_http_ex (http_fopen_wrapper.c:210)
==28829==    by 0x5B2592: php_stream_url_wrap_http_ex (http_fopen_wrapper.c:899)
==28829==    by 0x5B2592: php_stream_url_wrap_http_ex (http_fopen_wrapper.c:899)
==28829==    by 0x5B2863: php_stream_url_wrap_http (http_fopen_wrapper.c:963)
==28829==
==28829==
==28829== HEAP SUMMARY:
==28829==     in use at exit: 15,926 bytes in 376 blocks
==28829==   total heap usage: 15,220 allocs, 14,844 frees, 9,302,152 bytes allocated
==28829==
==28829== 2,224 (32 direct, 2,192 indirect) bytes in 1 blocks are definitely lost in loss record 111 of 112
==28829==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==28829==    by 0x5E7C337: CRYPTO_malloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F05DDE: sk_new (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2AF22: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2B06B: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2A1D6: ASN1_item_ex_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2AB8A: ASN1_item_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F480B3: X509V3_EXT_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x47ABE0: matches_san_list (xp_ssl.c:379)
==28829==    by 0x47B4E9: apply_peer_verification_policy (xp_ssl.c:535)
==28829==    by 0x47E82A: php_openssl_enable_crypto (xp_ssl.c:1761)
==28829==    by 0x47F8F8: php_openssl_sockop_set_option (xp_ssl.c:2223)
==28829==
==28829== 11,318 (184 direct, 11,134 indirect) bytes in 1 blocks are definitely lost in loss record 112 of 112
==28829==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==28829==    by 0x5E7C337: CRYPTO_malloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F27B13: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2A550: ASN1_item_ex_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2AB8A: ASN1_item_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5BC2514: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0)
==28829==    by 0x5BC7091: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0)
==28829==    by 0x5BD01C7: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0)
==28829==    by 0x47E618: php_openssl_enable_crypto (xp_ssl.c:1716)
==28829==    by 0x47F8F8: php_openssl_sockop_set_option (xp_ssl.c:2223)
==28829==    by 0x5EB992: _php_stream_set_option (streams.c:1357)
==28829==    by 0x5FB382: php_stream_xport_crypto_enable (transports.c:384)
==28829==
==28829== LEAK SUMMARY:
==28829==    definitely lost: 216 bytes in 2 blocks
==28829==    indirectly lost: 13,326 bytes in 328 blocks
==28829==      possibly lost: 0 bytes in 0 blocks
==28829==    still reachable: 2,384 bytes in 46 blocks
==28829==         suppressed: 0 bytes in 0 blocks
==28829== Reachable blocks (those to which a pointer was found) are not shown.
==28829== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==28829==
==28829== For counts of detected and suppressed errors, rerun with: -v
==28829== Use --track-origins=yes to see where uninitialised values come from
==28829== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon May 27 03:01:26 2019 UTC