Fix memory leak on failure in openssl_x509_parse() #21005
+1
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Only one of the two arrays (subitem) is destroyed, and critext is not.
This leads to a memory leak if the loop bails out:
```
Direct leak of 56 byte(s) in 1 object(s) allocated from:
#0 0x7f309fe699c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x563b9709ca05 in tracked_malloc /work/php-src/Zend/zend_alloc.c:3018
#2 0x563b9709b969 in _emalloc /work/php-src/Zend/zend_alloc.c:2780
#3 0x563b9737dc7b in _zend_new_array /work/php-src/Zend/zend_hash.c:290
#4 0x563b960f40fc in zif_openssl_x509_parse /work/php-src/ext/openssl/openssl.c:1120
#5 0x563b96eb7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#6 0x563b971e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#7 0x563b97340995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#8 0x563b973558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#9 0x563b974ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#10 0x563b96eec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#11 0x563b96eecccb in php_execute_script /work/php-src/main/main.c:2685
#12 0x563b974bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#13 0x563b974c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#14 0x7f309f1641c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#15 0x7f309f16428a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#16 0x563b96009b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Only one of the two arrays (subitem) is destroyed, and critext is not. This leads to a memory leak if the loop bails out:
This was found by a hybrid static-dynamic analyser that looks for inconsistent handling of error checks in bindings.