[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-internals
Subject:    Re: [PHP-DEV] refcount problems created by openssl_public_encrypt(symbol table corruption and double
From:       Wez Furlong <kingwez () gmail ! com>
Date:       2005-05-25 19:20:25
Message-ID: 4e89b4260505251220256d7a72 () mail ! gmail ! com
[Download RAW message or body]

The patch doesn't look quite right.

-       convert_to_string_ex(val);
+       zval tmpz;
+       zval *tmpzp;
+       tmpz = *(*val);
+       zval_copy_ctor(&tmpz);
+       tmpz.refcount=1;
+       tmpzp = &tmpz;

I think that this is a place where convert_to_string(val) should be
used instead.

-                   in = BIO_new_mem_buf(Z_STRVAL_PP(val), Z_STRLEN_PP(val));
+                   in = BIO_new_mem_buf(Z_STRVAL_PP(&tmpzp),
Z_STRLEN_PP(&tmpzp));

If you still need to use zval* instead of zval**, you can use
Z_STRVAL_P(tmpzp) instead of taking the address and using
Z_STRVAL_PP().

Can you check your patch again using convert_to_string() instead?

--Wez.

On 5/25/05, Kamesh Jayachandran <kameshj@fastmail.fm> wrote:
> Hi Wez & Jani,
> Following snippet causes double free of memory, corrupts the symbol
> table.
> <?php
> $pk=false;//As openssl_get_publickey($nonsense) can give false
> openssl_public_encrypt("Test",$encrypted,$pk);
> $pk=false;
> ?>
> 
> The culprit is php_openssl_evp_from_zval which is called by
> openssl_public_encrypt.
> openssl_public_encrypt reduces the refcount of $pk from 2 to 1.
> zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup
> upon return from openssl_public_encrypt.
> And hence zval associated with $pk is getting freed.
> But symbol table still refers to freed pointer.
> 
> The patch for 5.0 Tree is available at,
> http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0
> 
> With regards
> Kamesh Jayachandran
> 
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
>

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php


[prev in list] [next in list] [prev in thread] [next in thread]