From 93a44f8c502a348899db1ecc417b7e42ce95bf00 Mon Sep 17 00:00:00 2001 From: Heiko Weber Date: Wed, 15 Jun 2022 16:51:06 +0200 Subject: [PATCH] Fix potential use after free in php_binary_init() Closes GH-8791. --- NEWS | 3 +++ main/main.c | 16 ++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/NEWS b/NEWS index 4325fe3ff47..584fa704cf4 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2022, PHP 8.0.21 +- Core: + . Fixed potential use after free in php_binary_init(). (Heiko Weber) + - COM: . Fixed bug GH-8778 (Integer arithmethic with large number variants fails). (cmb) diff --git a/main/main.c b/main/main.c index 7bd5400760f..a40a4c8c37c 100644 --- a/main/main.c +++ b/main/main.c @@ -352,15 +352,15 @@ static void php_binary_init(void) { char *binary_location = NULL; #ifdef PHP_WIN32 - binary_location = (char *)malloc(MAXPATHLEN); - if (binary_location && GetModuleFileName(0, binary_location, MAXPATHLEN) == 0) { - free(binary_location); - PG(php_binary) = NULL; + binary_location = (char *)pemalloc(MAXPATHLEN, 1); + if (GetModuleFileName(0, binary_location, MAXPATHLEN) == 0) { + pefree(binary_location, 1); + binary_location = NULL; } #else if (sapi_module.executable_location) { - binary_location = (char *)malloc(MAXPATHLEN); - if (binary_location && !strchr(sapi_module.executable_location, '/')) { + binary_location = (char *)pemalloc(MAXPATHLEN, 1); + if (!strchr(sapi_module.executable_location, '/')) { char *envpath, *path; int found = 0; @@ -383,11 +383,11 @@ static void php_binary_init(void) efree(path); } if (!found) { - free(binary_location); + pefree(binary_location, 1); binary_location = NULL; } } else if (!VCWD_REALPATH(sapi_module.executable_location, binary_location) || VCWD_ACCESS(binary_location, X_OK)) { - free(binary_location); + pefree(binary_location, 1); binary_location = NULL; } }