stream: fix possible use of wrapper after it is freed

Author: bukka

main/streams/php_stream_errors.h

@@ -124,6 +124,9 @@ BEGIN_EXTERN_C()
 #define STREAM_ERROR_CODE_USERSPACE_INVALID_RETURN      161
 #define STREAM_ERROR_CODE_USERSPACE_CALL_FAILED         162
 
+/* Wrapper name for PHP errors */
+#define PHP_STREAM_ERROR_WRAPPER_NAME(_wrapper) (_wrapper ? _wrapper->wops->label : "unknown")
+
 /* Stored error entry */
 typedef struct {
     zend_string *message;
@@ -166,9 +169,14 @@ PHPAPI void php_stream_wrapper_log_error_param(const php_stream_wrapper *wrapper
 		php_stream_context *context, int options, int severity, bool terminal, int code,
 		const char *param, const char *fmt, ...) ZEND_ATTRIBUTE_FORMAT(printf, 8, 9);
 
+PHPAPI void php_stream_display_wrapper_name_errors(const char *wrapper_name,
+        php_stream_context *context, int code, const char *path, const char *caption);
+
 PHPAPI void php_stream_display_wrapper_errors(php_stream_wrapper *wrapper,
         php_stream_context *context, int code, const char *path, const char *caption);
 
+PHPAPI void php_stream_tidy_wrapper_name_error_log(const char *wrapper_name);
+
 PHPAPI void php_stream_tidy_wrapper_error_log(php_stream_wrapper *wrapper);
 
 /* Convenience macros */

main/streams/stream_errors.c

@@ -31,7 +31,7 @@ static void php_stream_error_entry_dtor(void *error)
 	zend_string_release(entry->message);
 	pefree(entry->wrapper_name, entry->persistent);
 	pefree(entry->docref, entry->persistent);
-	 // param is not currently supported for streams so cannot be persistent
+	// param is not currently supported for streams so cannot be persistent
 	ZEND_ASSERT(!entry->persistent || entry->param == NULL);
 	efree(entry->param);
 	pefree(entry, entry->persistent);
@@ -216,8 +216,8 @@ static void php_stream_process_error(php_stream_context *context, const char *wr
 
 /* Helper to create error entry */
 static php_stream_error_entry *php_stream_create_error_entry(zend_string *message, int code,
-		const char *wrapper_name, const char *docref, char *param, int severity,
-		bool terminal, bool persistent)
+		const char *wrapper_name, const char *docref, char *param, int severity, bool terminal,
+		bool persistent)
 {
 	if (persistent) {
 		message = zend_string_dup(message, true);
@@ -240,8 +240,8 @@ static php_stream_error_entry *php_stream_create_error_entry(zend_string *messag
 
 /* Common storage function*/
 static void php_stream_store_error_common(php_stream_context *context, php_stream *stream,
-		zend_string *message, const char *docref, int code,
-		const char *wrapper_name, char *param, int severity, bool terminal)
+		zend_string *message, const char *docref, int code, const char *wrapper_name, char *param,
+		int severity, bool terminal)
 {
 	int error_mode = php_stream_get_error_mode(context);
 	int store_mode = php_stream_get_error_store_mode(context, error_mode);
@@ -295,23 +295,36 @@ static void php_stream_wrapper_error_internal_with_name(const char *wrapper_name
 {
 	zend_string *message = vstrpprintf(0, fmt, args);
 
-	php_stream_process_error(context, wrapper_name, NULL, docref, code, ZSTR_VAL(message),
-			param, severity, terminal);
+	php_stream_process_error(context, wrapper_name, NULL, docref, code, ZSTR_VAL(message), param,
+			severity, terminal);
 
 	php_stream_store_error_common(
 			context, NULL, message, docref, code, wrapper_name, param, severity, terminal);
 
 	zend_string_release(message);
 }
 
+static void php_stream_wrapper_error_internal_with_name_variadic(const char *wrapper_name,
+		php_stream_context *context, const char *docref, int options, int severity, bool terminal,
+		int code, char *param, const char *fmt, ...)
+{
+	va_list args;
+	va_start(args, fmt);
+
+	php_stream_wrapper_error_internal_with_name(
+			wrapper_name, context, docref, options, severity, terminal, code, param, fmt, args);
+
+	va_end(args);
+}
+
 static void php_stream_wrapper_error_internal(php_stream_wrapper *wrapper,
 		php_stream_context *context, const char *docref, int options, int severity, bool terminal,
 		int code, char *param, const char *fmt, va_list args)
 {
-	const char *wrapper_name = wrapper ? wrapper->wops->label : "unknown";
+	const char *wrapper_name = PHP_STREAM_ERROR_WRAPPER_NAME(wrapper);
 
-	php_stream_wrapper_error_internal_with_name(wrapper_name, context, docref, options, severity,
-			terminal, code, param, fmt, args);
+	php_stream_wrapper_error_internal_with_name(
+			wrapper_name, context, docref, options, severity, terminal, code, param, fmt, args);
 }
 
 PHPAPI void php_stream_wrapper_error_with_name(const char *wrapper_name,
@@ -347,7 +360,7 @@ PHPAPI void php_stream_wrapper_error_param(php_stream_wrapper *wrapper, php_stre
 	if (options & REPORT_ERRORS) {
 		va_list args;
 		va_start(args, fmt);
-		char *param_copy = param ? estrdup(param): NULL;
+		char *param_copy = param ? estrdup(param) : NULL;
 		php_stream_wrapper_error_internal(
 				wrapper, context, docref, options, severity, terminal, code, param_copy, fmt, args);
 		va_end(args);
@@ -364,8 +377,8 @@ PHPAPI void php_stream_wrapper_error_param2(php_stream_wrapper *wrapper,
 
 		va_list args;
 		va_start(args, fmt);
-		php_stream_wrapper_error_internal(
-				wrapper, context, docref, options, severity, terminal, code, combined_param, fmt, args);
+		php_stream_wrapper_error_internal(wrapper, context, docref, options, severity, terminal,
+				code, combined_param, fmt, args);
 		va_end(args);
 	}
 }
@@ -375,7 +388,7 @@ PHPAPI void php_stream_wrapper_error_param2(php_stream_wrapper *wrapper,
 static void php_stream_wrapper_log_store_error(zend_string *message, int code,
 		const char *wrapper_name, const char *param, int severity, bool terminal)
 {
-	char *param_copy = param ? estrdup(param): NULL;
+	char *param_copy = param ? estrdup(param) : NULL;
 	php_stream_error_entry *entry = php_stream_create_error_entry(
 			message, code, wrapper_name, NULL, param_copy, severity, terminal, false);
 
@@ -384,8 +397,8 @@ static void php_stream_wrapper_log_store_error(zend_string *message, int code,
 		zend_hash_init(FG(wrapper_logged_errors), 8, NULL, php_stream_error_list_dtor, 0);
 	}
 
-	zend_llist *list = zend_hash_str_find_ptr(
-			FG(wrapper_logged_errors), wrapper_name, strlen(wrapper_name));
+	zend_llist *list
+			= zend_hash_str_find_ptr(FG(wrapper_logged_errors), wrapper_name, strlen(wrapper_name));
 
 	if (!list) {
 		zend_llist new_list;
@@ -403,16 +416,15 @@ static void php_stream_wrapper_log_error_internal(const php_stream_wrapper *wrap
 		char *param, const char *fmt, va_list args)
 {
 	zend_string *message = vstrpprintf(0, fmt, args);
-	const char *wrapper_name = wrapper ? wrapper->wops->label : "unknown";
+	const char *wrapper_name = PHP_STREAM_ERROR_WRAPPER_NAME(wrapper);
 
 	if (options & REPORT_ERRORS) {
 		/* Report immediately using standard error functions */
 		php_stream_wrapper_error_internal_with_name(
 				wrapper_name, context, NULL, options, severity, terminal, code, param, fmt, args);
 	} else {
 		/* Store for later display in FG(wrapper_logged_errors) */
-		php_stream_wrapper_log_store_error(
-				message, code, wrapper_name, param, severity, terminal);
+		php_stream_wrapper_log_store_error(message, code, wrapper_name, param, severity, terminal);
 	}
 	zend_string_release(message);
 }
@@ -434,7 +446,7 @@ PHPAPI void php_stream_wrapper_log_error_param(const php_stream_wrapper *wrapper
 {
 	va_list args;
 	va_start(args, fmt);
-	char *param_copy = param ? estrdup(param): NULL;
+	char *param_copy = param ? estrdup(param) : NULL;
 	php_stream_wrapper_log_error_internal(
 			wrapper, context, options, severity, terminal, code, param_copy, fmt, args);
 	va_end(args);
@@ -450,7 +462,7 @@ static zend_llist *php_stream_get_wrapper_errors_list(const char *wrapper_name)
 	}
 }
 
-void php_stream_display_wrapper_errors(php_stream_wrapper *wrapper,
+PHPAPI void php_stream_display_wrapper_name_errors(const char *wrapper_name,
 		php_stream_context *context, int code, const char *path, const char *caption)
 {
 	char *msg;
@@ -462,73 +474,84 @@ void php_stream_display_wrapper_errors(php_stream_wrapper *wrapper,
 		return;
 	}
 
-	const char *wrapper_name = wrapper ? wrapper->wops->label : "unknown";
 	char *tmp = estrdup(path);
-	if (wrapper) {
-		zend_llist *err_list = php_stream_get_wrapper_errors_list(wrapper_name);
-		if (err_list) {
-			size_t l = 0;
-			int brlen;
-			int i;
-			int count = (int) zend_llist_count(err_list);
-			const char *br;
-			php_stream_error_entry **err_entry_p;
-			zend_llist_position pos;
-
-			if (PG(html_errors)) {
-				brlen = 7;
-				br = "<br />\n";
-			} else {
-				brlen = 1;
-				br = "\n";
-			}
+	zend_llist *err_list = php_stream_get_wrapper_errors_list(wrapper_name);
+	if (err_list) {
+		size_t l = 0;
+		int brlen;
+		int i;
+		int count = (int) zend_llist_count(err_list);
+		const char *br;
+		php_stream_error_entry **err_entry_p;
+		zend_llist_position pos;
+
+		if (PG(html_errors)) {
+			brlen = 7;
+			br = "<br />\n";
+		} else {
+			brlen = 1;
+			br = "\n";
+		}
 
-			for (err_entry_p = zend_llist_get_first_ex(err_list, &pos), i = 0; err_entry_p;
-					err_entry_p = zend_llist_get_next_ex(err_list, &pos), i++) {
-				l += ZSTR_LEN((*err_entry_p)->message);
-				if (i < count - 1) {
-					l += brlen;
-				}
+		for (err_entry_p = zend_llist_get_first_ex(err_list, &pos), i = 0; err_entry_p;
+				err_entry_p = zend_llist_get_next_ex(err_list, &pos), i++) {
+			l += ZSTR_LEN((*err_entry_p)->message);
+			if (i < count - 1) {
+				l += brlen;
 			}
-			msg = emalloc(l + 1);
-			msg[0] = '\0';
-			for (err_entry_p = zend_llist_get_first_ex(err_list, &pos), i = 0; err_entry_p;
-					err_entry_p = zend_llist_get_next_ex(err_list, &pos), i++) {
-				strcat(msg, ZSTR_VAL((*err_entry_p)->message));
-				if (i < count - 1) {
-					strcat(msg, br);
-				}
+		}
+		msg = emalloc(l + 1);
+		msg[0] = '\0';
+		for (err_entry_p = zend_llist_get_first_ex(err_list, &pos), i = 0; err_entry_p;
+				err_entry_p = zend_llist_get_next_ex(err_list, &pos), i++) {
+			strcat(msg, ZSTR_VAL((*err_entry_p)->message));
+			if (i < count - 1) {
+				strcat(msg, br);
 			}
+		}
 
-			free_msg = 1;
+		free_msg = 1;
+	} else {
+		if (!strcmp(wrapper_name, php_plain_files_wrapper.wops->label)) {
+			msg = php_socket_strerror_s(errno, errstr, sizeof(errstr));
 		} else {
-			if (wrapper == &php_plain_files_wrapper) {
-				msg = php_socket_strerror_s(errno, errstr, sizeof(errstr));
-			} else {
-				msg = "operation failed";
-			}
+			msg = "operation failed";
 		}
-	} else {
-		msg = "no suitable wrapper could be found";
 	}
 
 	php_strip_url_passwd(tmp);
-	php_stream_wrapper_warn_param(wrapper, context, REPORT_ERRORS, code, tmp,
-			"%s: %s", caption, msg);
-	efree(tmp);
+	php_stream_wrapper_error_internal_with_name_variadic(wrapper_name, context, NULL, REPORT_ERRORS,
+			E_WARNING, true, code, tmp, "%s: %s", caption, msg);
+
 	if (free_msg) {
 		efree(msg);
 	}
 }
 
-void php_stream_tidy_wrapper_error_log(php_stream_wrapper *wrapper)
+PHPAPI void php_stream_display_wrapper_errors(php_stream_wrapper *wrapper,
+		php_stream_context *context, int code, const char *path, const char *caption)
 {
-	if (wrapper && FG(wrapper_logged_errors)) {
-		const char *wrapper_name = wrapper ? wrapper->wops->label : "unknown";
+	if (wrapper) {
+		const char *wrapper_name = PHP_STREAM_ERROR_WRAPPER_NAME(wrapper);
+		php_stream_display_wrapper_errors(wrapper_name, context, code, path, caption);
+	}
+}
+
+PHPAPI void php_stream_tidy_wrapper_name_error_log(const char *wrapper_name)
+{
+	if (FG(wrapper_logged_errors)) {
 		zend_hash_str_del(FG(wrapper_logged_errors), wrapper_name, strlen(wrapper_name));
 	}
 }
 
+PHPAPI void php_stream_tidy_wrapper_error_log(php_stream_wrapper *wrapper)
+{
+	if (wrapper) {
+		const char *wrapper_name = PHP_STREAM_ERROR_WRAPPER_NAME(wrapper);
+		php_stream_tidy_wrapper_name_error_log(wrapper_name);
+	}
+}
+
 /* Stream error reporting */
 
 PHPAPI void php_stream_error(php_stream *stream, const char *docref, int severity, bool terminal,
@@ -549,8 +572,8 @@ PHPAPI void php_stream_error(php_stream *stream, const char *docref, int severit
 			severity, terminal);
 
 	/* Store error */
-	php_stream_store_error_common(context, stream, message, docref, code, wrapper_name, NULL,
-			severity, terminal);
+	php_stream_store_error_common(
+			context, stream, message, docref, code, wrapper_name, NULL, severity, terminal);
 
 	zend_string_release(message);
 }

main/streams/streams.c

@@ -2151,6 +2151,8 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 		return NULL;
 	}
 
+	/* wrapper name needs to be stored as wrapper can be removed in opener (user stream) */
+	char *wrapper_name = pestrdup(PHP_STREAM_ERROR_WRAPPER_NAME(wrapper), persistent);
 	if (wrapper) {
 		if (!wrapper->wops->stream_opener) {
 			php_stream_wrapper_log_warn(wrapper, context, options & ~REPORT_ERRORS,
@@ -2205,6 +2207,7 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 				if (resolved_path) {
 					zend_string_release_ex(resolved_path, 0);
 				}
+				pefree(wrapper_name, persistent);
 				return stream;
 			case PHP_STREAM_RELEASED:
 				if (newstream->orig_path) {
@@ -2214,6 +2217,7 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 				if (resolved_path) {
 					zend_string_release_ex(resolved_path, 0);
 				}
+				pefree(wrapper_name, persistent);
 				return newstream;
 			default:
 				php_stream_close(stream);
@@ -2241,14 +2245,15 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 	}
 
 	if (stream == NULL && (options & REPORT_ERRORS)) {
-		php_stream_display_wrapper_errors(wrapper, context, STREAM_ERROR_CODE_OPEN_FAILED, path,
+		php_stream_display_wrapper_name_errors(wrapper_name, context, STREAM_ERROR_CODE_OPEN_FAILED, path,
 				"Failed to open stream");
 		if (opened_path && *opened_path) {
 			zend_string_release_ex(*opened_path, 0);
 			*opened_path = NULL;
 		}
 	}
-	php_stream_tidy_wrapper_error_log(wrapper);
+	php_stream_tidy_wrapper_name_error_log(wrapper_name);
+	pefree(wrapper_name, persistent);
 	if (resolved_path) {
 		zend_string_release_ex(resolved_path, 0);
 	}