php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72827 Uninitialized value and memory leaks in php_openssl_enable_crypto
Submitted: 2016-08-13 10:50 UTC Modified: 2021-05-28 14:14 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6Git-2016-08-13 (Git) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2016-08-13 10:50 UTC] cmb@php.net 
Description:
------------
This is a follow-up on bug #62523.

When running the supplied reproduce script with valgrind, two
issues are reported:

- Conditional jump or move depends on uninitialised value(s)

  That is about cert_captured, which is not initialized in this
  case, but is nonetheless used in an if condition[1].
 
- Memory leaks
 
[1] <https://github.com/php/php-src/blob/PHP-5.6.24/ext/openssl/xp_ssl.c#L1791>


Test script:
---------------
USE_ZEND_ALLOC=0 valgrind php -r "exif_read_data('http://dl.dropbox.dom/u/7562584/Bugs/Php/bad_exif.jpeg');"


Expected result:
----------------
no valgrind complaints

Actual result:
--------------
==28829== Memcheck, a memory error detector
==28829== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==28829== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==28829== Command: sapi/cli/php -n -r exif_read_data('http://dl.dropbox.com/u/7562584/Bugs/Php/bad_exif.jpeg');
==28829==
==28829== Conditional jump or move depends on uninitialised value(s)
==28829==    at 0x47E9B3: php_openssl_enable_crypto (xp_ssl.c:1791)
==28829==    by 0x47F8F8: php_openssl_sockop_set_option (xp_ssl.c:2223)
==28829==    by 0x5EB992: _php_stream_set_option (streams.c:1357)
==28829==    by 0x5FB382: php_stream_xport_crypto_enable (transports.c:384)
==28829==    by 0x47F9AF: php_openssl_sockop_set_option (xp_ssl.c:2248)
==28829==    by 0x5EB992: _php_stream_set_option (streams.c:1357)
==28829==    by 0x5FAF16: php_stream_xport_connect (transports.c:243)
==28829==    by 0x5FA9C3: _php_stream_xport_create (transports.c:143)
==28829==    by 0x5ADA25: php_stream_url_wrap_http_ex (http_fopen_wrapper.c:210)
==28829==    by 0x5B2592: php_stream_url_wrap_http_ex (http_fopen_wrapper.c:899)
==28829==    by 0x5B2592: php_stream_url_wrap_http_ex (http_fopen_wrapper.c:899)
==28829==    by 0x5B2863: php_stream_url_wrap_http (http_fopen_wrapper.c:963)
==28829==
==28829==
==28829== HEAP SUMMARY:
==28829==     in use at exit: 15,926 bytes in 376 blocks
==28829==   total heap usage: 15,220 allocs, 14,844 frees, 9,302,152 bytes allocated
==28829==
==28829== 2,224 (32 direct, 2,192 indirect) bytes in 1 blocks are definitely lost in loss record 111 of 112
==28829==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==28829==    by 0x5E7C337: CRYPTO_malloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F05DDE: sk_new (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2AF22: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2B06B: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2A1D6: ASN1_item_ex_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2AB8A: ASN1_item_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F480B3: X509V3_EXT_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x47ABE0: matches_san_list (xp_ssl.c:379)
==28829==    by 0x47B4E9: apply_peer_verification_policy (xp_ssl.c:535)
==28829==    by 0x47E82A: php_openssl_enable_crypto (xp_ssl.c:1761)
==28829==    by 0x47F8F8: php_openssl_sockop_set_option (xp_ssl.c:2223)
==28829==
==28829== 11,318 (184 direct, 11,134 indirect) bytes in 1 blocks are definitely lost in loss record 112 of 112
==28829==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==28829==    by 0x5E7C337: CRYPTO_malloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F27B13: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2A550: ASN1_item_ex_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5F2AB8A: ASN1_item_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==28829==    by 0x5BC2514: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0)
==28829==    by 0x5BC7091: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0)
==28829==    by 0x5BD01C7: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0)
==28829==    by 0x47E618: php_openssl_enable_crypto (xp_ssl.c:1716)
==28829==    by 0x47F8F8: php_openssl_sockop_set_option (xp_ssl.c:2223)
==28829==    by 0x5EB992: _php_stream_set_option (streams.c:1357)
==28829==    by 0x5FB382: php_stream_xport_crypto_enable (transports.c:384)
==28829==
==28829== LEAK SUMMARY:
==28829==    definitely lost: 216 bytes in 2 blocks
==28829==    indirectly lost: 13,326 bytes in 328 blocks
==28829==      possibly lost: 0 bytes in 0 blocks
==28829==    still reachable: 2,384 bytes in 46 blocks
==28829==         suppressed: 0 bytes in 0 blocks
==28829== Reachable blocks (those to which a pointer was found) are not shown.
==28829== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==28829==
==28829== For counts of detected and suppressed errors, rerun with: -v
==28829== Use --track-origins=yes to see where uninitialised values come from
==28829== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-28 14:14 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-05-28 14:14 UTC] cmb@php.net 
The first issue has already been fixed in the meantime; the second
likely has as well, but this is not verifiable because
bad_exif.jpeg has gone.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved. 		Last updated: Sat Jul 24 08:01:23 2021 UTC