Skip to content

Fix GH-17047: UAF on iconv filter failure #17058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix GH-17047: UAF on iconv filter failure #17058

wants to merge 1 commit into from

Conversation

nielsdos
Copy link
Member

@nielsdos nielsdos commented Dec 5, 2024

The first while loop sets the bucket variable, and this is freed in out_failure. However, when the second "goto out_failure" is triggered then bucket still refers to the bucket from the first while loop, causing a UAF.
Fix this by separating the error paths.

@nielsdos
Fix phpGH-17047: UAF on iconv filter failure
89358bc 
The first while loop sets the bucket variable, and this is freed in
out_failure. However, when the second "goto out_failure" is triggered
then bucket still refers to the bucket from the first while loop,
causing a UAF.
Fix this by separating the error paths.
@nielsdos nielsdos linked an issue Dec 5, 2024 that may be closed by this pull request
UAF on iconv filter failure #17047
Closed
@nielsdos nielsdos closed this in ddbd396 Dec 6, 2024
charmitro pushed a commit to wasix-org/php that referenced this pull request Mar 13, 2025
@nielsdos @charmitro
Fix phpGH-17047: UAF on iconv filter failure
44bf37d 
The first while loop sets the bucket variable, and this is freed in
out_failure. However, when the second "goto out_failure" is triggered
then bucket still refers to the bucket from the first while loop,
causing a UAF.
Fix this by separating the error paths.

Closes phpGH-17058.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmb69 cmb69 cmb69 approved these changes

@devnexen devnexen devnexen approved these changes

Assignees

No one assigned

Labels

Extension: iconv

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

UAF on iconv filter failure

3 participants

@nielsdos @cmb69 @devnexen