Commit 7790ee8

authored

Fix concat_function use-after-free on out-of-memory error (#11297)

Introduced by GH-10049

1 parent 5c74164 commit 7790ee8Copy full SHA for 7790ee8

File tree

+23

-2

lines changed

+23

-2

lines changed

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,18 @@`
	`1`	`+--TEST--`
	`2`	`+Bug #79836 (use-after-free in concat_function)`
	`3`	`+--INI--`
	`4`	`+memory_limit=10M`
	`5`	`+--FILE--`
	`6`	`+<?php`
	`7`	`+class Foo {`
	`8`	`+ public function __toString() {`
	`9`	`+ return str_repeat('a', 10);`
	`10`	`+ }`
	`11`	`+}`
	`12`	`+`
	`13`	`+$i = str_repeat('a', 5 * 1024 * 1024);`
	`14`	`+$e = new Foo();`
	`15`	`+$e .= $i;`
	`16`	`+?>`
	`17`	`+--EXPECTF--`
	`18`	`+Fatal error: Allowed memory size of %d bytes exhausted%s(tried to allocate %d bytes) in %s on line %d`

Lines changed: 5 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -2048,13 +2048,16 @@ has_op2_string:;`
`2048`	`2048`	`}`
`2049`	`2049`
`2050`	`2050`	`if (result == op1) {`
	`2051`	`+ /* special case, perform operations on result */`
	`2052`	`+ result_str = zend_string_extend(op1_string, result_len, 0);`
	`2053`	`+ /* Free result after zend_string_extend(), as it may throw an out-of-memory error. If we`
	`2054`	`+ * free it before we would leave the released variable on the stack with shutdown trying`
	`2055`	`+ * to free it again. */`
`2051`	`2056`	`if (free_op1_string) {`
`2052`	`2057`	`/* op1_string will be used as the result, so we should not free it */`
`2053`	`2058`	`i_zval_ptr_dtor(result);`
`2054`	`2059`	`free_op1_string = false;`
`2055`	`2060`	`}`
`2056`		`- /* special case, perform operations on result */`
`2057`		`- result_str = zend_string_extend(op1_string, result_len, 0);`
`2058`	`2061`	`/* account for the case where result_str == op1_string == op2_string and the realloc is done */`
`2059`	`2062`	`if (op1_string == op2_string) {`
`2060`	`2063`	`if (free_op2_string) {`

Comments

(0)