realloc with size 0 in user_filters.c #17650

chongwick · 2025-01-31T11:50:11Z

Description

The following code:

<?php
class testfilter extends php_user_filter {
  function filter($in, $out, &$consumed, $closing): int {
    while ($bucket = stream_bucket_make_writeable($in)) {
      $bucket->data = preg_replace('/.(?<!^)/m', '', strtoupper($bucket->data));
      $consumed += strlen($bucket->data);
      stream_bucket_append($out, $bucket);
    }
    return PSFS_PASS_ON;
  }

  function oncreate(): bool {
    echo "params: {$this->params}\n";
    return true;
  }
}

stream_filter_register('testfilter','testfilter');

$text = "Hello There!";

$fp = tmpfile();
fwrite($fp, $text);

rewind($fp);
stream_filter_append($fp, 'testfilter', STREAM_FILTER_READ, 'testuserfilter');

while ($line = fgets($fp)) {
    assertArrayEquals(["Hello"], explode(" ", $line));
}

fclose($fp);

Resulted in this output:

php-src/ext/standard/user_filters.c:408:3: runtime error: null pointer passed as argument 1, which is declared to never be null

USE_ZEND_ALLOC=0 php test.php

PHP Version

nightly

Operating System

ubuntu 22.04

The text was updated successfully, but these errors were encountered:

If the returned buffer string is of length 0, then a realloc can happen with length 0. However, the behaviour is implementation-defined. From 7.20.3.1 of C11 spec: > If the size of the space requested is zero, the behavior is > implementation-defined: either a null pointer is returned, > or the behavior is as if the size were some nonzero value, > except that the returned pointer shall not be used to access an object This is problematic for the test case on my system as it returns NULL, causing a memleak and later using it in memcpy causing UB. The bucket code is not prepared to handle a NULL pointer. To solve this, we use MAX to clamp the size to 1 at the least.

* PHP-8.3: Fix GH-17650: realloc with size 0 in user_filters.c

* PHP-8.4: Fix GH-17650: realloc with size 0 in user_filters.c

If the returned buffer string is of length 0, then a realloc can happen with length 0. However, the behaviour is implementation-defined. From 7.20.3.1 of C11 spec: > If the size of the space requested is zero, the behavior is > implementation-defined: either a null pointer is returned, > or the behavior is as if the size were some nonzero value, > except that the returned pointer shall not be used to access an object This is problematic for the test case on my system as it returns NULL, causing a memleak and later using it in memcpy causing UB. The bucket code is not prepared to handle a NULL pointer. To solve this, we use MAX to clamp the size to 1 at the least. Closes phpGH-17656.

chongwick added Bug Status: Needs Triage labels Jan 31, 2025

Girgias added the Category: Streams label Jan 31, 2025

devnexen added Status: Verified and removed Status: Needs Triage labels Jan 31, 2025

nielsdos changed the title ~~invalid memory usage in user_filters.c~~ realloc with size 0 user_filters.c Jan 31, 2025

nielsdos changed the title ~~realloc with size 0 user_filters.c~~ realloc with size 0 in user_filters.c Jan 31, 2025

nielsdos linked a pull request Jan 31, 2025 that will close this issue

Fix GH-17650: realloc with size 0 in user_filters.c #17656

Closed

nielsdos closed this as completed in fd5d6ad Feb 7, 2025

nielsdos added a commit that referenced this issue Feb 7, 2025

Merge branch 'PHP-8.3' into PHP-8.4

c2e5c58

* PHP-8.3: Fix GH-17650: realloc with size 0 in user_filters.c

nielsdos added a commit that referenced this issue Feb 7, 2025

Merge branch 'PHP-8.4'

d3e5dbe

* PHP-8.4: Fix GH-17650: realloc with size 0 in user_filters.c

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

realloc with size 0 in user_filters.c #17650

realloc with size 0 in user_filters.c #17650

chongwick commented Jan 31, 2025

realloc with size 0 in user_filters.c #17650

realloc with size 0 in user_filters.c #17650

Comments

chongwick commented Jan 31, 2025

Description

PHP Version

Operating System