Fix potential use after free in php_binary_init()

hwde · cmb69 · commit 93a44f8c502a · 2022-06-20T12:00:50.000+02:00
Closes GH-8791.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2022, PHP 8.0.21
 
+- Core:
+  . Fixed potential use after free in php_binary_init(). (Heiko Weber)
+
 - COM:
   . Fixed bug GH-8778 (Integer arithmethic with large number variants fails).
     (cmb)
diff --git a/main/main.c b/main/main.c
@@ -352,15 +352,15 @@ static void php_binary_init(void)
 {
 	char *binary_location = NULL;
 #ifdef PHP_WIN32
-	binary_location = (char *)malloc(MAXPATHLEN);
-	if (binary_location && GetModuleFileName(0, binary_location, MAXPATHLEN) == 0) {
-		free(binary_location);
-		PG(php_binary) = NULL;
+	binary_location = (char *)pemalloc(MAXPATHLEN, 1);
+	if (GetModuleFileName(0, binary_location, MAXPATHLEN) == 0) {
+		pefree(binary_location, 1);
+		binary_location = NULL;
 	}
 #else
 	if (sapi_module.executable_location) {
-		binary_location = (char *)malloc(MAXPATHLEN);
-		if (binary_location && !strchr(sapi_module.executable_location, '/')) {
+		binary_location = (char *)pemalloc(MAXPATHLEN, 1);
+		if (!strchr(sapi_module.executable_location, '/')) {
 			char *envpath, *path;
 			int found = 0;
 
@@ -383,11 +383,11 @@ static void php_binary_init(void)
 				efree(path);
 			}
 			if (!found) {
-				free(binary_location);
+				pefree(binary_location, 1);
 				binary_location = NULL;
 			}
 		} else if (!VCWD_REALPATH(sapi_module.executable_location, binary_location) || VCWD_ACCESS(binary_location, X_OK)) {
-			free(binary_location);
+			pefree(binary_location, 1);
 			binary_location = NULL;
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -352,15 +352,15 @@ static void php_binary_init(void)`
`352`	`352`	`{`
`353`	`353`	`char *binary_location = NULL;`
`354`	`354`	`#ifdef PHP_WIN32`
`355`		`- binary_location = (char *)malloc(MAXPATHLEN);`
`356`		`- if (binary_location && GetModuleFileName(0, binary_location, MAXPATHLEN) == 0) {`
`357`		`- free(binary_location);`
`358`		`- PG(php_binary) = NULL;`
	`355`	`+ binary_location = (char *)pemalloc(MAXPATHLEN, 1);`
	`356`	`+ if (GetModuleFileName(0, binary_location, MAXPATHLEN) == 0) {`
	`357`	`+ pefree(binary_location, 1);`
	`358`	`+ binary_location = NULL;`
`359`	`359`	`}`
`360`	`360`	`#else`
`361`	`361`	`if (sapi_module.executable_location) {`
`362`		`- binary_location = (char *)malloc(MAXPATHLEN);`
`363`		`- if (binary_location && !strchr(sapi_module.executable_location, '/')) {`
	`362`	`+ binary_location = (char *)pemalloc(MAXPATHLEN, 1);`
	`363`	`+ if (!strchr(sapi_module.executable_location, '/')) {`
`364`	`364`	`char envpath, path;`
`365`	`365`	`int found = 0;`
`366`	`366`
`@@ -383,11 +383,11 @@ static void php_binary_init(void)`
`383`	`383`	`efree(path);`
`384`	`384`	`}`
`385`	`385`	`if (!found) {`
`386`		`- free(binary_location);`
	`386`	`+ pefree(binary_location, 1);`
`387`	`387`	`binary_location = NULL;`
`388`	`388`	`}`
`389`	`389`	`} else if (!VCWD_REALPATH(sapi_module.executable_location, binary_location) \|\| VCWD_ACCESS(binary_location, X_OK)) {`
`390`		`- free(binary_location);`
	`390`	`+ pefree(binary_location, 1);`
`391`	`391`	`binary_location = NULL;`
`392`	`392`	`}`
`393`	`393`	`}`