Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15845
Return-Path: <kameshj@fastmail.fm>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39724 invoked by uid 1010); 6 Apr 2005 07:14:00 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 39707 invoked from network); 6 Apr 2005 07:13:59 -0000
Received: from unknown (HELO cnmaya.com) (127.0.0.1)
  by localhost with SMTP; 6 Apr 2005 07:13:59 -0000
X-Host-Fingerprint: 66.111.4.25 out1.smtp.messagingengine.com  
Received: from ([66.111.4.25:35436] helo=out1.smtp.messagingengine.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id 8D/DE-19272-63C83524 for <internals@lists.php.net>; Wed, 06 Apr 2005 03:13:58 -0400
Received: from web2.messagingengine.com (web2.internal [10.202.2.211])
	by frontend1.messagingengine.com (Postfix) with ESMTP id 942EFC7101A
	for <internals@lists.php.net>; Wed,  6 Apr 2005 03:13:54 -0400 (EDT)
Received: by web2.messagingengine.com (Postfix, from userid 99)
	id 0C30A2FB; Wed,  6 Apr 2005 03:13:53 -0400 (EDT)
Message-ID: <1112771633.21209.231222484@webmail.messagingengine.com>
X-Sasl-Enc: dh/g5PrcfPdG+EU4wdS87x+Q6IL/lvbsj+blCSxGmA5T 1112771633
To: internals@lists.php.net
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-Mailer: MIME::Lite 1.5  (F2.73; T1.001; A1.64; B3.05; Q3.03)
Date: Wed, 06 Apr 2005 00:13:53 -0700
Subject: refcount and hence double free issue
From: kameshj@fastmail.fm ("Kamesh Jayachandran")

Hi All,
I have come across a double free because of improper refcount
manipulation.
<?php
class MyTextSanitizer
{
    var $smileys=array()
    function MyTextSanitizer() {}
    function getSmileys()
    {
        return $this->smileys;
    }
}
$myts = new MyTextSanitizer();
$smiles =& $myts->getSmileys(); //calling by ref alone causes improper
refcount 
$smiles = $myts->getSmileys(); //this does not cause improper refcount 
?>

What is happening is class_entry->default_properties and
object->properties are sharing the same zval** as the data($smileys)
against their keys with incrementing the refcount.
In the execution of the script refcount of $smileys is changing from 
1->2, 
2->3, 
3->2, 
2->3, 
3->2, 
2->1, --->when it is 1 zend_objects_free_object_storage calls
zend_hash_destroy of object->properties which calls _zval_ptr_dtor on
each of its data($smiley) frees it if the refcount ==1
1->0 --destroy_zend_class also calls
zend_hash_destroy(&ce->default_properties) by the time
$smiley->refcount=0 and storage is already freed which is accessed by
_zval_ptr_dtor to decrement the refcount which causes a segfault with a
huge script.

Anyway will see who and all increment/decrement the refcount and see
where to increment it or not to decrement it.

With regards
Kamesh Jayachandran