double free gzopen() #19922
Description
Description
The following code:
<?php
$v_348376 = 'hello world\nis a very common test\nfor all languages';
$v_348377 = 'gzfile_temp';
$v_348461 = 'x';
$v_348462 = mb_regex_set_options($v_348461,);
$v_348379 = $v_348461 . $v_348462;
$v_348473 = 'php://output';
$v_348474 = 'w';
$v_348475 = fopen($v_348473,$v_348474,);
$v_348479 = fclose($v_348475,);
$v_348380 = mkdir($v_348479,);
$v_348458 = 'file size: %d\n';
$v_348443 = ob_get_clean();
$v_348459 = strlen($v_348443,);
$v_348460 = printf($v_348458,$v_348459,);
$v_348382 = gzopen($v_348473,$v_348460,);Resulted in this output:
Warning: mkdir(): File exists in /home/w023dtc/TreeFuzz/py_tool/e0c556134202c53768b6.php.er on line 11
file size: 0\n
Warning: gzopen(php://output): could not make seekable - php://output in /home/w023dtc/TreeFuzz/py_tool/e0c556134202c53768b6.php.er on line 16
=================================================================
==3466573==ERROR: AddressSanitizer: attempting double-free on 0x60200001cbd0 in thread T0:
#0 0x682742 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682742)
#1 0x582a703 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
#2 0x58357bb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
#3 0x531236d in _php_stream_open_wrapper_ex /home/w023dtc/nightly_php/php-src/main/streams/streams.c:2359:3
#4 0xf26da3 in php_stream_gzopen /home/w023dtc/nightly_php/php-src/ext/zlib/zlib_fopen_wrapper.c:188:16
#5 0xf02d9c in zif_gzopen /home/w023dtc/nightly_php/php-src/ext/zlib/zlib.c:664:11
#6 0x614302f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1421:2
#7 0x5c5edbb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115602:12
#8 0x5c6134c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121314:2
#9 0x69e2689 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
#10 0x51c182a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
#11 0x51c2968 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
#12 0x69f759a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#13 0x69f197f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#14 0x1497c8b2cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x1497c8b2ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
#16 0x607ae4 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607ae4)
0x60200001cbd0 is located 0 bytes inside of 13-byte region [0x60200001cbd0,0x60200001cbdd)
freed by thread T0 here:
#0 0x682742 in free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682742)
#1 0x582a703 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
#2 0x58357bb in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
#3 0x52ed300 in _php_stream_free /home/w023dtc/nightly_php/php-src/main/streams/streams.c:525:4
#4 0x5311ac5 in _php_stream_open_wrapper_ex /home/w023dtc/nightly_php/php-src/main/streams/streams.c:2326:5
#5 0xf26da3 in php_stream_gzopen /home/w023dtc/nightly_php/php-src/ext/zlib/zlib_fopen_wrapper.c:188:16
#6 0xf02d9c in zif_gzopen /home/w023dtc/nightly_php/php-src/ext/zlib/zlib.c:664:11
#7 0x614302f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1421:2
#8 0x5c5edbb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115602:12
#9 0x5c6134c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121314:2
#10 0x69e2689 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
#11 0x51c182a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
#12 0x51c2968 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
#13 0x69f759a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#14 0x69f197f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#15 0x1497c8b2cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x6829ad in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829ad)
#1 0x5836a73 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
#2 0x58351d9 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
#3 0x5836df9 in _estrdup /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2861:15
#4 0x53111ce in _php_stream_open_wrapper_ex /home/w023dtc/nightly_php/php-src/main/streams/streams.c:2297:18
#5 0xf26da3 in php_stream_gzopen /home/w023dtc/nightly_php/php-src/ext/zlib/zlib_fopen_wrapper.c:188:16
#6 0xf02d9c in zif_gzopen /home/w023dtc/nightly_php/php-src/ext/zlib/zlib.c:664:11
#7 0x614302f in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1421:2
#8 0x5c5edbb in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:115602:12
#9 0x5c6134c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121314:2
#10 0x69e2689 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
#11 0x51c182a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2640:13
#12 0x51c2968 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2680:9
#13 0x69f759a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#14 0x69f197f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#15 0x1497c8b2cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: double-free (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682742) in free
==3466573==ABORTING
USE_ZEND_ALLOC=0 php script.php
PHP Version
nightly
Operating System
ubuntu 22.04