[PHP-BUG] Bug #61964 [NEW]: finfo_open with directory causes invalid free

[ni...@php.net]

From:             nikic
Operating system: 
PHP version:      master-Git-2012-05-06 (Git)
Package:          Filesystem function related
Bug Type:         Bug
Bug description:finfo_open with directory causes invalid free

Description:
------------
The simple script

<?php
finfo_open(FILEINFO_NONE, '.');

causes an invalid free to be reported by glibc, with the following gdb bt:

#0  0x00130416 in __kernel_vsyscall ()
#1  0x009edc8f in __GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x009f12b5 in __GI_abort () at abort.c:92
#3  0x00a2515c in __libc_message (do_abort=2, 
    fmt=0xafe4c0 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4  0x00a2ff22 in malloc_printerr (action=<optimized out>, 
    str=<optimized out>, ptr=0xbfff996c) at malloc.c:6283
#5  0x00a30168 in munmap_chunk (p=<optimized out>) at malloc.c:3540
#6  0x081ffde1 in apprentice_load (ms=0xb717d8f8, magicp=0xbfffa9bc, 
    nmagicp=0xbfffa9c0, fn=0xb717d150 "/home/nikic/dev/Phuzzy/results", 
    action=0) at
/home/nikic/dev/php-src/ext/fileinfo/libmagic/apprentice.c:814
#7  0x081fecc9 in apprentice_1 (ms=0xb717d8f8, 
    fn=0xb717d150 "/home/nikic/dev/Phuzzy/results", action=0,
mlist=0xb717d1a0)
    at /home/nikic/dev/php-src/ext/fileinfo/libmagic/apprentice.c:275
#8  0x081fef8c in file_apprentice (ms=0xb717d8f8, 
    fn=0xb717d150 "/home/nikic/dev/Phuzzy/results", action=0)
    at /home/nikic/dev/php-src/ext/fileinfo/libmagic/apprentice.c:369
#9  0x0820975e in magic_load (ms=0xb717d8f8, 
    magicfile=0xbfffaaec "/home/nikic/dev/Phuzzy/results")
    at /home/nikic/dev/php-src/ext/fileinfo/libmagic/magic.c:308
#10 0x081fdc23 in zif_finfo_open (ht=2, return_value=0xb717c2cc, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0,
tsrm_ls=0x8c0f070)
    at /home/nikic/dev/php-src/ext/fileinfo/fileinfo.c:345
#11 0x085cf628 in zend_do_fcall_common_helper_SPEC
(execute_data=0xb716007c, 
    tsrm_ls=0x8c0f070) at
/home/nikic/dev/php-src/Zend/zend_vm_execute.h:642
#12 0x085d6ddb in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xb716007c, 
    tsrm_ls=0x8c0f070) at
/home/nikic/dev/php-src/Zend/zend_vm_execute.h:2219
#13 0x085cd8d5 in execute (op_array=0xb717cc14, tsrm_ls=0x8c0f070)
    at /home/nikic/dev/php-src/Zend/zend_vm_execute.h:410
#14 0x0859202e in zend_execute_scripts (type=8, tsrm_ls=0x8c0f070,
retval=0x0, 
    file_count=3) at /home/nikic/dev/php-src/Zend/zend.c:1272
#15 0x084f4e91 in php_execute_script (primary_file=0xbfffe110, 
    tsrm_ls=0x8c0f070) at /home/nikic/dev/php-src/main/main.c:2473
#16 0x086dcbc9 in do_cli (argc=2, argv=0xbffff3b4, tsrm_ls=0x8c0f070)
    at /home/nikic/dev/php-src/sapi/cli/php_cli.c:988
#17 0x086de0ed in main (argc=2, argv=0xbffff3b4)
    at /home/nikic/dev/php-src/sapi/cli/php_cli.c:1361

The invalid free occurs in
https://github.com/php/php-src/blob/master/ext/fileinfo/libmagic/apprentice.c#L814.

The code for loading from a directory seems completely broken: The
filenames are snprintf'd into the mfn variable, which is a
char[MAXPATHLEN].

For every file that variable is then written into the array, without
further copying: filearr[files++] = mfn;

So basically at the end filearr just contains the last scanned path
multiple times.

In the second loop the individual filearr elements are then freed, which is
wrong in two senses: a) it's always the same array element, so it would be
a multi-free b) mfn is an array, it was never allocated, so it shouldn't be
freed.

The fix should be to copy mfn into a separate pointer when doing
filearr[files++] = mfn;

:)


-- 
Edit bug report at https://bugs.php.net/bug.php?id=61964&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=61964&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=61964&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=61964&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=61964&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=61964&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=61964&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=61964&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=61964&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=61964&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=61964&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=61964&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=61964&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=61964&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=61964&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=61964&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=61964&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=61964&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=61964&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=61964&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=61964&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=61964&r=mysqlcfg