added

[bugBotter]

No description provided.

[cursor]

Bug: Memory Leak and Dangling Pointer in Blacklist Handling

The realloc() call in zend_accel_blacklist_allocate does not check for a NULL return value. If realloc() fails, blacklist->entries is set to NULL, causing a memory leak of the original block and potential segmentation faults on subsequent access. Additionally, in zend_accel_blacklist_shutdown, blacklist->regexp_list is freed but not set to NULL, leaving a dangling pointer that could lead to use-after-free errors if accessed before re-initialization.

opcache/zend_accelerator_blacklist.c#L220-L238

php-src_test/opcache/zend_accelerator_blacklist.c

Lines 220 to 238 in 446d698

	blacklist->entries = NULL;
	if (blacklist->regexp_list) {
	zend_regexp_list *temp, *it = blacklist->regexp_list;
	while (it) {
	pcre2_code_free(it->re);
	temp = it;
	it = it->next;
	free(temp);
	}
	}
	}
	static inline void zend_accel_blacklist_allocate(zend_blacklist *blacklist)
	{
	if (blacklist->pos == blacklist->size) {
	blacklist->size += ZEND_BLACKLIST_BLOCK_SIZE;
	blacklist->entries = (zend_blacklist_entry *) realloc(blacklist->entries, sizeof(zend_blacklist_entry)*blacklist->size);
	}
	}

Fix in Cursor

---

Bug: Regex Expansion Causes Buffer Overflow

A buffer overflow vulnerability exists in zend_accel_blacklist_update_regexp during regex pattern construction. Wildcard characters (e.g., '?' or '') are converted into multi-character regex patterns (e.g., '' expands to "[^\\\\]" on Windows, 6 characters). The loop's buffer boundary check (p < end) is insufficient as it doesn't account for these character expansions, allowing writes to exceed the buffer boundary. The end pointer calculation also uses an incorrect sizeof value, slightly reducing the available buffer space. Additionally, comments for the '?' wildcard incorrectly describe '' expansion.

opcache/zend_accelerator_blacklist.c#L92-L141

php-src_test/opcache/zend_accelerator_blacklist.c

Lines 92 to 141 in 446d698

	p = regexp + 2;
	end = regexp + sizeof(regexp) - sizeof("[^\\\\]*)\0");
	for (i = 0; i < blacklist->pos; ) {
	c = blacklist->entries[i].path;
	if (p + blacklist->entries[i].path_length < end) {
	while (*c && p < end) {
	switch (*c) {
	case '?':
	c++;
	#ifdef ZEND_WIN32
	p[0] = '['; /* * => [^\\] on Win32 */
	p[1] = '^';
	p[2] = '\\';
	p[3] = '\\';
	p[4] = ']';
	p += 5;
	#else
	p[0] = '['; /* * => [^/] on *nix */
	p[1] = '^';
	p[2] = '/';
	p[3] = ']';
	p += 4;
	#endif
	break;
	case '*':
	c++;
	if (*c == '*') {
	c++;
	p[0] = '.'; /* ** => .* */
	p[1] = '*';
	p += 2;
	} else {
	#ifdef ZEND_WIN32
	p[0] = '['; /* * => [^\\]* on Win32 */
	p[1] = '^';
	p[2] = '\\';
	p[3] = '\\';
	p[4] = ']';
	p[5] = '*';
	p += 6;
	#else
	p[0] = '['; /* * => [^/]* on *nix */
	p[1] = '^';
	p[2] = '/';
	p[3] = ']';
	p[4] = '*';
	p += 5;
	#endif
	}

Fix in Cursor

---

Bug: Buffer Underflow in Quote Stripping

The ctrl-m prefix stripping (lines 272-276) advances the pbuf pointer and decrements path_length without ensuring path_length remains the correct length relative to the new pbuf position. This causes the subsequent quote stripping logic (lines 279-282) to use an incorrect index pbuf[path_length - 1]. This can lead to a buffer underflow if path_length becomes 0, or path_length becoming negative (e.g., for a single quote input "), resulting in undefined behavior.

opcache/zend_accelerator_blacklist.c#L271-L282

php-src_test/opcache/zend_accelerator_blacklist.c

Lines 271 to 282 in 446d698

	/* Strip ctrl-m prefix */
	pbuf = &buf[0];
	while (*pbuf == '\r') {
	*pbuf++ = 0;
	path_length--;
	}
	/* strip \" */
	if (pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') {
	*pbuf++ = 0;
	path_length -= 2;
	}

Fix in Cursor

---

BugBot free trial expires on July 22, 2025
You have used $0.00 of your $50.00 spend limit so far. Manage your spend limit in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎