Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16297 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95576 invoked by uid 1010); 26 May 2005 08:00:31 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 87805 invoked from network); 26 May 2005 07:29:41 -0000 Received: from unknown (HELO pb1.pair.com) (127.0.0.1) by localhost with SMTP; 26 May 2005 07:29:41 -0000 X-Host-Fingerprint: 66.111.4.26 out2.smtp.messagingengine.com Received: from ([66.111.4.26:37752] helo=out2.smtp.messagingengine.com) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id 48/23-36677-2CA75924 for ; Thu, 26 May 2005 03:29:06 -0400 Received: from web2.messagingengine.com (web2.internal [10.202.2.211]) by frontend1.messagingengine.com (Postfix) with ESMTP id 31DA6C92EFE; Thu, 26 May 2005 03:29:03 -0400 (EDT) Received: by web2.messagingengine.com (Postfix, from userid 99) id 8045E38BF; Thu, 26 May 2005 03:29:01 -0400 (EDT) Message-ID: <1117092541.32110.234993453@webmail.messagingengine.com> X-Sasl-Enc: o1Bol73kwigR1KqUgwFc6ofqVvkP34Xb12YPhsuAnYQL 1117092541 To: "Wez Furlong" Cc: wez@php.net, sniper@php.net, internals@lists.php.net Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 X-Mailer: MIME::Lite 1.5 (F2.73; T1.001; A1.64; B3.05; Q3.03) References: <1117030464.8500.234927724@webmail.messagingengine.com> <4e89b4260505251220256d7a72@mail.gmail.com> In-Reply-To: <4e89b4260505251220256d7a72@mail.gmail.com> Date: Thu, 26 May 2005 00:29:01 -0700 Subject: Re: [PHP-DEV] refcount problems created by openssl_public_encrypt(symbol table corruption and double free) From: kameshj@fastmail.fm ("Kamesh Jayachandran") Thanks Wez for pointing out. New patch is available at, http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0 convert_to_string_ex is needed but not on val but on &tmpzp.(Got lost while manually copying the changes from my NetWare build environment to Linux). With regards Kamesh Jayachandran On Wed, 25 May 2005 15:20:25 -0400, "Wez Furlong" said: > The patch doesn't look quite right. > > - convert_to_string_ex(val); > + zval tmpz; > + zval *tmpzp; > + tmpz = *(*val); > + zval_copy_ctor(&tmpz); > + tmpz.refcount=1; > + tmpzp = &tmpz; > > I think that this is a place where convert_to_string(val) should be > used instead. > > - in = BIO_new_mem_buf(Z_STRVAL_PP(val), > Z_STRLEN_PP(val)); > + in = BIO_new_mem_buf(Z_STRVAL_PP(&tmpzp), > Z_STRLEN_PP(&tmpzp)); > > If you still need to use zval* instead of zval**, you can use > Z_STRVAL_P(tmpzp) instead of taking the address and using > Z_STRVAL_PP(). > > Can you check your patch again using convert_to_string() instead? > > --Wez. > > On 5/25/05, Kamesh Jayachandran wrote: > > Hi Wez & Jani, > > Following snippet causes double free of memory, corrupts the symbol > > table. > > > $pk=false;//As openssl_get_publickey($nonsense) can give false > > openssl_public_encrypt("Test",$encrypted,$pk); > > $pk=false; > > ?> > > > > The culprit is php_openssl_evp_from_zval which is called by > > openssl_public_encrypt. > > openssl_public_encrypt reduces the refcount of $pk from 2 to 1. > > zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup > > upon return from openssl_public_encrypt. > > And hence zval associated with $pk is getting freed. > > But symbol table still refers to freed pointer. > > > > The patch for 5.0 Tree is available at, > > http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0 > > > > With regards > > Kamesh Jayachandran > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > >