Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16296
Return-Path: <kingwez@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21269 invoked by uid 1010); 25 May 2005 19:26:39 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 16800 invoked from network); 25 May 2005 19:20:31 -0000
Received: from unknown (HELO gmail.com) (127.0.0.1)
  by localhost with SMTP; 25 May 2005 19:20:31 -0000
X-Host-Fingerprint: 64.233.184.198 wproxy.gmail.com Linux 2.4/2.6
Received: from ([64.233.184.198:20070] helo=wproxy.gmail.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 53/D4-36677-DFFC4924 for <internals@lists.php.net>; Wed, 25 May 2005 15:20:29 -0400
Received: by wproxy.gmail.com with SMTP id 57so375447wri
	for <internals@lists.php.net>; Wed, 25 May 2005 12:20:26 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=QBMYtrG+QYKwd0ObZ48UAtjtuJpF/dbvWpVn7+d3wP9NZkSxvb9xTdSkm6QxnDcaLsupQVsvsUfzvbG+ErR8C14A+3yGmuUFkdxUkb8kWd8tI83HOonV2flPgDpUwhrJGiNlUc/WgMKiayJ0xb7rQCnDjYjGVDLqjoeEzPvaI6g=
Received: by 10.54.71.17 with SMTP id t17mr512533wra;
	Wed, 25 May 2005 12:20:25 -0700 (PDT)
Received: by 10.54.153.5 with HTTP; Wed, 25 May 2005 12:20:25 -0700 (PDT)
Message-ID: <4e89b4260505251220256d7a72@mail.gmail.com>
Date: Wed, 25 May 2005 15:20:25 -0400
Reply-To: Wez Furlong <kingwez@gmail.com>
To: Kamesh Jayachandran <kameshj@fastmail.fm>
Cc: wez@php.net, sniper@php.net, internals@lists.php.net
In-Reply-To: <1117030464.8500.234927724@webmail.messagingengine.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <1117030464.8500.234927724@webmail.messagingengine.com>
Subject: Re: [PHP-DEV] refcount problems created by openssl_public_encrypt(symbol table corruption and double free)
From: kingwez@gmail.com (Wez Furlong)

The patch doesn't look quite right.

-       convert_to_string_ex(val);
+       zval tmpz;
+       zval *tmpzp;
+       tmpz =3D *(*val);
+       zval_copy_ctor(&tmpz);
+       tmpz.refcount=3D1;
+       tmpzp =3D &tmpz;

I think that this is a place where convert_to_string(val) should be
used instead.

-                   in =3D BIO_new_mem_buf(Z_STRVAL_PP(val), Z_STRLEN_PP(va=
l));
+                   in =3D BIO_new_mem_buf(Z_STRVAL_PP(&tmpzp),
Z_STRLEN_PP(&tmpzp));

If you still need to use zval* instead of zval**, you can use
Z_STRVAL_P(tmpzp) instead of taking the address and using
Z_STRVAL_PP().

Can you check your patch again using convert_to_string() instead?

--Wez.

On 5/25/05, Kamesh Jayachandran <kameshj@fastmail.fm> wrote:
> Hi Wez & Jani,
> Following snippet causes double free of memory, corrupts the symbol
> table.
> <?php
> $pk=3Dfalse;//As openssl_get_publickey($nonsense) can give false
> openssl_public_encrypt("Test",$encrypted,$pk);
> $pk=3Dfalse;
> ?>
>=20
> The culprit is php_openssl_evp_from_zval which is called by
> openssl_public_encrypt.
> openssl_public_encrypt reduces the refcount of $pk from 2 to 1.
> zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup
> upon return from openssl_public_encrypt.
> And hence zval associated with $pk is getting freed.
> But symbol table still refers to freed pointer.
>=20
> The patch for 5.0 Tree is available at,
> http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0
>=20
> With regards
> Kamesh Jayachandran
>=20
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20
>