double free #18311
Description
Description
The following code:
<?php
define('v1', 0xFFFFFFFF);
$v3 = array();
$v4 = FFI::cdef();
$v5 = $v4->new("int*[3]");
for ($i = 0; $i < 2; $i++) {
$v5[$i] = $v4->new("int[1]", false);
}
$v5[2] = $v5[1];
$v5[1][0] = v1;
for ($i = 0; $i < 3; $i++) {
FFI::free($v5[$i]);
}
?>Resulted in this output:
=================================================================
==3220220==ERROR: AddressSanitizer: attempting double-free on 0x60200001a1f0 in thread T0:
#0 0x1511dd138537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x557455fddae7 in zim_FFI_free /home/w023dtc/nightly_php/php-src/ext/ffi/ffi.c:3987
#2 0x55745748a0eb in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1988
#3 0x55745748a0eb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:58950
#4 0x5574574ad2cf in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64337
#5 0x55745767229f in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1943
#6 0x557456e11ec3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2594
#7 0x55745767825e in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952
#8 0x5574559c4fe2 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1355
#9 0x1511d9336d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#10 0x1511d9336e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#11 0x5574559c6334 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x2d79334)
0x60200001a1f0 is located 0 bytes inside of 4-byte region [0x60200001a1f0,0x60200001a1f4)
freed by thread T0 here:
#0 0x1511dd138537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x557455fddae7 in zim_FFI_free /home/w023dtc/nightly_php/php-src/ext/ffi/ffi.c:3987
#2 0x55745748a0eb in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1988
#3 0x55745748a0eb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:58950
#4 0x5574574ad2cf in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64337
#5 0x55745767229f in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1943
#6 0x557456e11ec3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2594
#7 0x55745767825e in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952
#8 0x5574559c4fe2 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1355
#9 0x1511d9336d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
previously allocated by thread T0 here:
#0 0x1511dd138887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55745701dc34 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3504
#2 0x557455ff9e97 in zim_FFI_new /home/w023dtc/nightly_php/php-src/ext/ffi/ffi.c:3951
#3 0x5574574909a0 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2113
#4 0x5574574909a0 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:58955
#5 0x5574574ad2cf in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64337
#6 0x55745767229f in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1943
#7 0x557456e11ec3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2594
#8 0x55745767825e in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952
#9 0x5574559c4fe2 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1355
#10 0x1511d9336d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
==3220220==ABORTING
USE_ZEND_ALLOC=0
PHP Version
nightly
Operating System
ubuntu 22.04