php-src/ext/zend_test/tests
Niels Dossche bc558bf7a3
Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors
Although the issue was demonstrated using Curl, the issue is purely in
the streams layer of PHP.

Full analysis is written in GH-11078 [1], but here is the brief version:
Here's what actually happens:
1) We're creating a FILE handle from a stream using the casting mechanism.
   This will create a cookie-based FILE handle using funopen.
2) We're reading stream data using fread from the userspace stream. This will
   temporarily set a buffer into a field _bf.base [2]. This buffer is now equal
   to the upload buffer that Curl allocated and note that that buffer is owned
   by Curl.
3) The fatal error occurs and we bail out from the fread function, notice how
   the reset code is never executed and so the buffer will still point to
   Curl's upload buffer instead of FILE's own buffer [3].
4) The resources are destroyed, this includes our opened stream and because the
   FILE handle is cached, it gets destroyed as well.
   In fact, the stream code calls through fclose on purpose in this case.
5) The fclose code frees the _bs.base buffer [4].
   However, this is not the buffer that FILE owns but the one that Curl owns
   because it isn't reset properly due to the bailout!
6) The objects are getting destroyed, and so the curl free logic is invoked.
   When Curl tries to gracefully clean up, it tries to free the buffer.
   But that buffer is actually already freed mistakingly by the C library!

This also explains why we can't reproduce it on Linux: this bizarre buffer
swapping only happens on macOS and BSD, not on Linux.

To solve this, we switch to an unbuffered mode for cookie-based FILEs.
This avoids any stateful problems related to buffers especially when the
bailout mechanism triggers. As streams have their own buffering
mechanism, I don't expect this to impact performance.

[1] https://github.com/php/php-src/issues/11078#issuecomment-2155616843
[2] 5e566be7a7/stdio/FreeBSD/fread.c (L102-L103)
[3] 5e566be7a7/stdio/FreeBSD/fread.c (L117)
[4] 5e566be7a7/stdio/FreeBSD/fclose.c (L66-L67)

Closes GH-14524.
2024-06-10 19:38:21 +02:00
..
iterators adds failing test case for #12060 2023-09-05 10:23:22 +01:00
attribute-promotion-parameter-only.phpt Properly deal with internal attributes used on promoted properties. 2022-11-03 14:29:22 +01:00
attribute-promotion-property-only.phpt Properly deal with internal attributes used on promoted properties. 2022-11-03 14:29:22 +01:00
attribute_arguments.phpt Add tests for function parameter attributes to ext/zend_test 2022-03-07 22:10:54 +01:00
attribute_hash_table_leak.phpt Add tests for function parameter attributes to ext/zend_test 2022-03-07 22:10:54 +01:00
execute_internal.phpt Add test, fix x86 JIT 2023-03-13 12:36:59 +01:00
fiber_test_01.phpt
fiber_test_02.phpt
fiber_test_03.phpt
fiber_test_04.phpt
fiber_test_05.phpt
fiber_test_06.phpt
fiber_test_07.phpt
gen_stub_test_01.phpt Fix GH-12558 Escape \N in generated stubs (#12562) 2023-10-31 10:06:56 +01:00
gen_stub_test_02.phpt Add support for generating namespaced constant 2023-02-23 10:05:30 +01:00
get_function_or_method_name_01.inc Fix get_function_or_method_name when included file is scoped (#8467) 2022-05-03 21:34:01 +02:00
get_function_or_method_name_01.phpt Merge branch 'PHP-8.0' into PHP-8.1 2022-05-03 21:36:42 +02:00
gh8575.phpt Allow to not close stream on rscr dtor in php cli sapi 2022-07-18 10:58:50 +01:00
gh9871.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
gh10370.tar Fix GH-10370: File corruption in _php_stream_copy_to_stream_ex when using copy_file_range (#10440) 2023-02-10 13:08:44 +01:00
gh10370_1.phpt Fix concurrent testing 2023-02-10 13:31:57 +01:00
gh10370_2.phpt Fix concurrent testing 2023-02-10 13:31:57 +01:00
gh10370_3.phpt Fix concurrent testing 2023-02-10 13:31:57 +01:00
gh10370_4.phpt Fix concurrent testing 2023-02-10 13:31:57 +01:00
gh11078.phpt Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors 2024-06-10 19:38:21 +02:00
gh13970.phpt Delay #[Attribute] arg validation until runtime 2024-05-06 12:38:56 +02:00
internal-call-internal-static-return.phpt Get rid of invalid assertion and cleanup zend_call_method 2022-06-01 10:50:50 +02:00
internal_magic_call.phpt Fix leak of call->extra_named_params on internal __call 2023-12-01 16:49:16 +01:00
observer.inc
observer_backtrace_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_basic_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_basic_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_basic_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_basic_04.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_basic_05.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_basic_06.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_bug81430_1.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_bug81430_2.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_bug81435.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_call_user_func_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_call_user_func_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_call_user_func_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_call_user_func_04.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_closure_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_closure_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_closure_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_declarations_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_declarations_file_cache.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_error_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_error_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_error_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_error_04.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_error_05.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_eval_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_exception_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_04.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_05.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_06.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_functions_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_functions_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_fiber_functions_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_generator_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_generator_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_generator_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_generator_04.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_generator_05.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_magic_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_opline_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_preload.inc Fix opcache preload with observers enabled 2022-11-09 16:36:28 +01:00
observer_preload.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_04.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_05.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_06.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_07.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_by_ref_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_by_ref_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_retval_by_ref_03.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_shutdown_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_shutdown_02.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_sqlite_create_function.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_types_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
observer_zend_call_function_01.phpt Run one testsuite with observers enabled in CI (#13869) 2024-04-02 18:11:02 +02:00
opline_dangling.phpt USE_ZEND_ALLOC=1 in tests with zend_test.observe_opline_in_zendmm=1 2023-11-25 18:44:45 +01:00
opline_dangling_02.phpt USE_ZEND_ALLOC=1 in tests with zend_test.observe_opline_in_zendmm=1 2023-11-25 18:44:45 +01:00
optimizer_register_pass.phpt
variadic_arguments.phpt Fixed strict zpp arginfo test 2023-03-09 11:40:47 +00:00
zend_forbid_dynamic_call.phpt Use get_active_function_or_method_name() for zend_forbid_dynamic_call() (#8762) 2022-06-16 12:02:53 +01:00
zend_ini_str_validator_basic.phpt Add zend_string INI validators 2022-09-06 10:41:47 +01:00
zend_ini_str_validator_return_from_func.phpt Add zend_string INI validators 2022-09-06 10:41:47 +01:00
zend_internal_class_prop_intersection.phpt Add support for stubs to declare intersection type class properties (#8751) 2022-07-22 13:04:49 +01:00
zend_legacy_iterable.phpt Convert iterable into an internal alias for Traversable|array (#7309) 2022-06-07 13:35:34 +01:00
zend_test_compile_string.phpt
zend_weakmap.phpt Convert iterable into an internal alias for Traversable|array (#7309) 2022-06-07 13:35:34 +01:00