|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-04-19 12:43 UTC] nikic@php.net
[2021-04-19 12:46 UTC] nikic@php.net
-Status: Open
+Status: Not a bug
[2021-04-19 12:46 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 13:00:01 2025 UTC |
Description: ------------ File: ext/spl/spl_dllist.c Bug Function: PHP_METHOD(SplDoublyLinkedList, offsetUnset) In this function, element is obtained via spl_ptr_llist_offset() at line 834. At line 863, the ref of element is decreased by one via SPL_LLIST_DELREF(element), if the refcount of element is 0 now, the element will be freed. But the freed element is still used at line 869 by SPL_LLIST_DELREF(element) which is a macro of "if (!-- ((element)->data).u2.extra) { _efree((element)); }". It is a use after free. If the freed memory of element is allocated by other objects before line 869, then it is possible to fake structures to modify the refcount of element and cause an additional double free. Test script: --------------- 834: element = spl_ptr_llist_offset(intern->llist, index, intern->flags & SPL_DLLIST_IT_LIFO); ... if (intern->traverse_pointer == element) { 863: SPL_LLIST_DELREF(element); // element First freed here! intern->traverse_pointer = NULL; } zval_ptr_dtor(&element->data); ZVAL_UNDEF(&element->data); 869: SPL_LLIST_DELREF(element) // Freed element is used and could be freed again!