[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double free of init_file in phpdbg_prompt.c #12962

Closed
burkeartem opened this issue Dec 16, 2023 · 1 comment
Closed

Double free of init_file in phpdbg_prompt.c #12962

burkeartem opened this issue Dec 16, 2023 · 1 comment
Labels
Bug SAPI: phpdbg Status: Verified

Comments

@burkeartem
Copy link

Description

Pointer init_file is passed to a function free at phpdbg_prompt.c:368 by calling function after the referenced memory was deallocated at phpdbg_prompt.c:333 by passing as first parameter to function phpdbg_try_file_init at phpdbg_prompt.c:367.

  1. In line 367 init_file is passed to function phpdbg_try_file_init and variable free_init (last parameter) is set to 1:

    php-src/sapi/phpdbg/phpdbg_prompt.c

    Lines 367 to 368 in 38bd305

    phpdbg_try_file_init(init_file, strlen(init_file), 1);
    free(init_file);
  2. Then init_file is freed in function phpdbg_try_file_init:

    php-src/sapi/phpdbg/phpdbg_prompt.c

    Lines 332 to 334 in 38bd305

    if (free_init) {
    free(init_file);
    }
  3. init_file is freed again in line 368:

    php-src/sapi/phpdbg/phpdbg_prompt.c

    Lines 367 to 368 in 38bd305

    phpdbg_try_file_init(init_file, strlen(init_file), 1);
    free(init_file);

This is probably a small typo, as there is a counterexample here (free_init is set to 0):

php-src/sapi/phpdbg/phpdbg_prompt.c

Lines 348 to 349 in 38bd305

phpdbg_try_file_init(sys_ini, strlen(sys_ini), 0);
free(sys_ini);

Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE.
Author A. Burke.

PHP Version

PHP 8.2.3

Operating System

No response
@nielsdos
Copy link
Member

Thanks for the report. This is a true positive as I was able to create a reproducer. PR coming soon.

nielsdos added a commit to nielsdos/php-src that referenced this issue Dec 17, 2023
@nielsdos
Fix phpGH-12962: Double free of init_file in phpdbg_prompt.c
1413a07 
See phpGH-12962 for analysis.
@nielsdos nielsdos mentioned this issue Dec 17, 2023
Closed
@nielsdos nielsdos linked a pull request Dec 17, 2023 that will close this issue
Fix GH-12962: Double free of init_file in phpdbg_prompt.c #12963
Closed
nielsdos added a commit that referenced this issue Dec 17, 2023
@nielsdos
Merge branch 'PHP-8.2' into PHP-8.3
4fc336c 
* PHP-8.2:
  Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash
  Fix GH-12962: Double free of init_file in phpdbg_prompt.c
nielsdos added a commit that referenced this issue Dec 17, 2023
@nielsdos
Merge branch 'PHP-8.3'
61b7370 
* PHP-8.3:
  Fix GH-12929: SimpleXMLElement with stream_wrapper_register can segfault
  Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash
  Fix GH-12962: Double free of init_file in phpdbg_prompt.c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug SAPI: phpdbg Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-12962: Double free of init_file in phpdbg_prompt.c nielsdos/php-src
2 participants
@nielsdos @burkeartem