summaryrefslogtreecommitdiff
path: root/Zend/zend_alloc.c
diff options
context:
space:
mode:
authorChristoph M. Becker <cmbecker69@gmx.de>2016-09-07 22:50:53 +0200
committerChristoph M. Becker <cmbecker69@gmx.de>2016-09-07 22:50:53 +0200
commit5880428dac00ff9bafccb8c10c7226d6fa1dabbb (patch)
treefbd3ca8a9f032bdb7b33b6a2de56079bfcb08fd3 /Zend/zend_alloc.c
parentdad793630d5966a9c22f3fcd7f24b7937bd1a36f (diff)
downloadphp-git-5880428dac00ff9bafccb8c10c7226d6fa1dabbb.tar.gz
Fix potential memory issue with USE_ZEND_ALLOC=0
The PHP core and extensions are written with the assumption that memory allocation either succeeds, or the allocator bails out (i.e. the allocator is infallible). Therefore the result of emalloc() and friends are not checked for NULL values. However, with USE_ZEND_ALLOC=0, malloc() and friends are used as allocators, but these are fallible, i.e. they return NULL instead of bailing out if they fail. This easily leads to invalid memory accesses in the following, such as in <https://bugs.php.net/73032>. Some of these cases may constitute exploitable vulnerabilities. Therefore we make the infallible __zend_alloc() and friends the default for USE_ZEND_ALLOC=0.
Diffstat (limited to 'Zend/zend_alloc.c')
-rw-r--r--Zend/zend_alloc.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
index 105c2560aa..f11a12dc90 100644
--- a/Zend/zend_alloc.c
+++ b/Zend/zend_alloc.c
@@ -2726,9 +2726,9 @@ static void alloc_globals_ctor(zend_alloc_globals *alloc_globals TSRMLS_DC)
alloc_globals->mm_heap = malloc(sizeof(struct _zend_mm_heap));
memset(alloc_globals->mm_heap, 0, sizeof(struct _zend_mm_heap));
alloc_globals->mm_heap->use_zend_alloc = 0;
- alloc_globals->mm_heap->_malloc = malloc;
+ alloc_globals->mm_heap->_malloc = __zend_malloc;
alloc_globals->mm_heap->_free = free;
- alloc_globals->mm_heap->_realloc = realloc;
+ alloc_globals->mm_heap->_realloc = __zend_realloc;
} else {
alloc_globals->mm_heap = zend_mm_startup();
}