-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Memory management is broken for bad dictionaries #16326
Labels
Comments
We might overflow GH issue IDs by tomorrow. :) |
Simpler reproducer: deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => [""]]); In Line 816 in e34eebb
we're trying to |
Incomplete patch (would solve the reported issue, but there are more; for instance ext/zlib/zlib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c
index 3c9f72e82b..e964ef25df 100644
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@@ -813,7 +813,7 @@ static bool zlib_create_dictionary_string(HashTable *options, char **dict, size_
*++ptr = zval_get_string(cur);
if (!*ptr || ZSTR_LEN(*ptr) == 0 || EG(exception)) {
if (*ptr) {
- efree(*ptr);
+ zend_string_release(*ptr);
}
while (--ptr >= strings) {
efree(ptr); |
cmb69
added a commit
to cmb69/php-src
that referenced
this issue
Oct 9, 2024
We must not `efree()` `zend_string`s, since they may have a refcount greater than one, and may even be interned. We also must not confuse `zend_string *` with `zend_string **`. And we should play it safe by using `safe_emalloc()` to avoid theoretical integer overflows.
cmb69
added a commit
to cmb69/php-src
that referenced
this issue
Oct 9, 2024
We must not `efree()` `zend_string`s, since they may have a refcount greater than one, and may even be interned. We also must not confuse `zend_string *` with `zend_string **`. And we should play it safe by using `safe_emalloc()` to avoid theoretical integer overflows.
cmb69
changed the title
Segmentation fault (heap-buffer-overflow) in Zend/zend_alloc.c:1528:28 in zend_mm_free_heap
Memory management is broken for bad dictionaries
Oct 9, 2024
cmb69
added a commit
that referenced
this issue
Oct 13, 2024
* PHP-8.2: Fix GH-16326: Memory management is broken for bad dictionaries
cmb69
added a commit
that referenced
this issue
Oct 13, 2024
* PHP-8.3: Fix GH-16326: Memory management is broken for bad dictionaries
cmb69
added a commit
that referenced
this issue
Oct 13, 2024
* PHP-8.4: Fix GH-16326: Memory management is broken for bad dictionaries
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The following code:
Resulted in this output:
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04
The text was updated successfully, but these errors were encountered: