Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16295
Return-Path: <kameshj@fastmail.fm>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11061 invoked by uid 1010); 25 May 2005 14:26:29 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 5457 invoked from network); 25 May 2005 14:14:35 -0000
Received: from unknown (HELO fastmail.fm) (127.0.0.1)
  by localhost with SMTP; 25 May 2005 14:14:35 -0000
X-Host-Fingerprint: 66.111.4.26 out2.smtp.messagingengine.com  
Received: from ([66.111.4.26:44438] helo=out2.smtp.messagingengine.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id C4/6E-36677-A4884924 for <internals@lists.php.net>; Wed, 25 May 2005 10:14:34 -0400
Received: from web2.messagingengine.com (web2.internal [10.202.2.211])
	by frontend1.messagingengine.com (Postfix) with ESMTP id 419C1C931E9;
	Wed, 25 May 2005 10:14:29 -0400 (EDT)
Received: by web2.messagingengine.com (Postfix, from userid 99)
	id 5926BF8D; Wed, 25 May 2005 10:14:24 -0400 (EDT)
Message-ID: <1117030464.8500.234927724@webmail.messagingengine.com>
X-Sasl-Enc: zk+af3mgdewPZRKiN+DWkGHc/Imlyhbrd2CsVs/f8CkS 1117030464
To: wez@php.net, sniper@php.net
Cc: internals@lists.php.net
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-Mailer: MIME::Lite 1.5  (F2.73; T1.001; A1.64; B3.05; Q3.03)
Date: Wed, 25 May 2005 07:14:24 -0700
Subject: refcount problems created by openssl_public_encrypt(symbol table
	corruption and double free)
From: kameshj@fastmail.fm ("Kamesh Jayachandran")

Hi Wez & Jani,
Following snippet causes double free of memory, corrupts the symbol
table.
<?php
$pk=false;//As openssl_get_publickey($nonsense) can give false
openssl_public_encrypt("Test",$encrypted,$pk);
$pk=false;
?>

The culprit is php_openssl_evp_from_zval which is called by
openssl_public_encrypt.
openssl_public_encrypt reduces the refcount of $pk from 2 to 1. 
zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup
upon return from openssl_public_encrypt.
And hence zval associated with $pk is getting freed.
But symbol table still refers to freed pointer.

The patch for 5.0 Tree is available at,
http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0

With regards
Kamesh Jayachandran