php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78761 Zend memory heap corruption with preload and pointer casting
Submitted: 2019-10-30 11:28 UTC Modified: 2019-10-30 18:02 UTC
From: lisachenko dot it at gmail dot com Assigned: cmb (profile)
Status: Closed Package: *Extensibility Functions
PHP Version: 7.4.0RC4 OS: Windows x64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lisachenko dot it at gmail dot com
New email:
PHP Version: OS:

 

 [2019-10-30 11:28 UTC] lisachenko dot it at gmail dot com
Description:
------------
There is a zend_mm_heap corruption when using FFI preload mode and proxying requests to the FFI::cast from a preloaded class.
Corruptions appear when trying to cast any CData pointer to another type via preloaded class that wraps FFI::cast() internally.

Test script:
---------------
See gist: https://gist.github.com/lisachenko/f133184201aa3c63d58af9548bdd825a

Expected result:
----------------
No memory corruption

Actual result:
--------------
Script terminated with zend_mm_heap corrupted

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-30 17:52 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-10-30 17:52 UTC] cmb@php.net
I can confirm this issue.  Simpler reproducer:

    <?php
    FFI::cast('char[10]', FFI::new('char[1]'));

and opcache.preload=preload.php which is

    <?php
    FFI::load(__DIR__ . '/header.h');

header.h may be empty.

The immediate problem seems to be that preloading sets
FFI_G(persistent) to 1, but doesn't necessarily reset it to 0 when
the loading is finished.  This causes the array type to be
allocated persistently, but it is later freed with efree().
 [2019-10-30 18:02 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2019-10-30 18:06 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78761: Zend memory heap corruption with preload and casting
On GitHub:  https://github.com/php/php-src/pull/4876
Patch:      https://github.com/php/php-src/pull/4876.patch
 [2019-10-30 18:50 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0055f1e3dc7ec27778d6d3bd22404319b3ceeeca
Log: Fix #78761: Zend memory heap corruption with preload and casting
 [2019-10-30 18:50 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 15:01:28 2024 UTC