|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-04-19 12:43 UTC] nikic@php.net
[2021-04-19 12:46 UTC] nikic@php.net
-Status: Open
+Status: Not a bug
[2021-04-19 12:46 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 23:01:29 2024 UTC |
Description: ------------ File: ext/spl/spl_dllist.c Bug Function: PHP_METHOD(SplDoublyLinkedList, offsetUnset) In this function, element is obtained via spl_ptr_llist_offset() at line 834. At line 863, the ref of element is decreased by one via SPL_LLIST_DELREF(element), if the refcount of element is 0 now, the element will be freed. But the freed element is still used at line 869 by SPL_LLIST_DELREF(element) which is a macro of "if (!-- ((element)->data).u2.extra) { _efree((element)); }". It is a use after free. If the freed memory of element is allocated by other objects before line 869, then it is possible to fake structures to modify the refcount of element and cause an additional double free. Test script: --------------- 834: element = spl_ptr_llist_offset(intern->llist, index, intern->flags & SPL_DLLIST_IT_LIFO); ... if (intern->traverse_pointer == element) { 863: SPL_LLIST_DELREF(element); // element First freed here! intern->traverse_pointer = NULL; } zval_ptr_dtor(&element->data); ZVAL_UNDEF(&element->data); 869: SPL_LLIST_DELREF(element) // Freed element is used and could be freed again!