Skip to content

Fix GH-11028 (Heap Buffer Overflow in zval_undefined_cv.) #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ndossche wants to merge 1 commit into from
Closed

Fix GH-11028 (Heap Buffer Overflow in zval_undefined_cv.) #8

ndossche wants to merge 1 commit into from

Conversation

@ndossche
Copy link
Owner

@ndossche ndossche commented Apr 15, 2023

For analysis see php#11028 (comment)

@ndossche ndossche closed this Apr 15, 2023
ndossche pushed a commit that referenced this pull request Oct 13, 2024
@devnexen
ext/gmp: gmp_pow fix FPE with large values.
d70b781 
even without sanitizers, it is reproducible but with the following

```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT_MAX));
```

we get this

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==286922==ERROR: AddressSanitizer: FPE on unknown address 0x03e8000460ca (pc 0x7faf6c69de5c bp 0x400000000000004 sp 0x7ffe9843c740 T0)
    #0 0x7faf6c69de5c in __pthread_kill_implementation nptl/pthread_kill.c:44
    #1 0x7faf6c649c81 in __GI_raise ../sysdeps/posix/raise.c:26
    #2 0x7faf6db9386c in __gmp_exception (/lib/x86_64-linux-gnu/libgmp.so.10+0xd86c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #3 0x7faf6db938d3 in __gmp_overflow_in_mpz (/lib/x86_64-linux-gnu/libgmp.so.10+0xd8d3) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #4 0x7faf6dbac95c in __gmpz_realloc (/lib/x86_64-linux-gnu/libgmp.so.10+0x2695c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #5 0x7faf6dba9038 in __gmpz_n_pow_ui (/lib/x86_64-linux-gnu/libgmp.so.10+0x23038) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #6 0x5565ae1ccd9f in zif_gmp_pow /home/dcarlier/Contribs/php-src/ext/gmp/gmp.c:1286
    #7 0x5565aee96ea9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:1312
    #8 0x5565af144320 in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:56075
    #9 0x5565af160f07 in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:60439
    #10 0x5565aed6fafe in zend_execute_scripts /home/dcarlier/Contribs/php-src/Zend/zend.c:1842
    #11 0x5565aeae70a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2578
    #12 0x5565af532f4e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:964
    #13 0x5565af535877 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1334
    #14 0x7faf6c633d67 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7faf6c633e24 in __libc_start_main_impl ../csu/libc-start.c:360
    #16 0x5565adc04040 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x2604040) (BuildId: 949049955bdf8b7197390b1978a1dfc3ef6fdf38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE nptl/pthread_kill.c:44 in __pthread_kill_implementation
==286922==ABORTING
```
ndossche pushed a commit that referenced this pull request Oct 26, 2024
@devnexen
ext/gmp: gmp_pow fix FPE with large values.
e0a0e21 
even without sanitizers, it is reproducible but with the following

```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT_MAX));
```

we get this

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==286922==ERROR: AddressSanitizer: FPE on unknown address 0x03e8000460ca (pc 0x7faf6c69de5c bp 0x400000000000004 sp 0x7ffe9843c740 T0)
    #0 0x7faf6c69de5c in __pthread_kill_implementation nptl/pthread_kill.c:44
    #1 0x7faf6c649c81 in __GI_raise ../sysdeps/posix/raise.c:26
    #2 0x7faf6db9386c in __gmp_exception (/lib/x86_64-linux-gnu/libgmp.so.10+0xd86c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #3 0x7faf6db938d3 in __gmp_overflow_in_mpz (/lib/x86_64-linux-gnu/libgmp.so.10+0xd8d3) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #4 0x7faf6dbac95c in __gmpz_realloc (/lib/x86_64-linux-gnu/libgmp.so.10+0x2695c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #5 0x7faf6dba9038 in __gmpz_n_pow_ui (/lib/x86_64-linux-gnu/libgmp.so.10+0x23038) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
    #6 0x5565ae1ccd9f in zif_gmp_pow /home/dcarlier/Contribs/php-src/ext/gmp/gmp.c:1286
    #7 0x5565aee96ea9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:1312
    #8 0x5565af144320 in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:56075
    #9 0x5565af160f07 in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:60439
    #10 0x5565aed6fafe in zend_execute_scripts /home/dcarlier/Contribs/php-src/Zend/zend.c:1842
    #11 0x5565aeae70a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2578
    #12 0x5565af532f4e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:964
    #13 0x5565af535877 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1334
    #14 0x7faf6c633d67 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7faf6c633e24 in __libc_start_main_impl ../csu/libc-start.c:360
    #16 0x5565adc04040 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x2604040) (BuildId: 949049955bdf8b7197390b1978a1dfc3ef6fdf38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE nptl/pthread_kill.c:44 in __pthread_kill_implementation
==286922==ABORTING
```

close phpGH-16384
ndossche pushed a commit that referenced this pull request Mar 29, 2025
@devnexen
ext/gd: imagecrop rect argument overflow fixes.
a162004 
```
ext/gd/libgd/gd.c:2275:14: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
    #0 0x5d6a2103e1db in php_gd_gdImageCopy /home/dcarlier/Contribs/php-src/ext/gd/libgd/gd.c:2275
    #1 0x5d6a210a2b63 in gdImageCrop /home/dcarlier/Contribs/php-src/ext/gd/libgd/gd_crop.c:57
    #2 0x5d6a21018ca4 in zif_imagecrop /home/dcarlier/Contribs/php-src/ext/gd/gd.c:3575
    #3 0x5d6a21e46e7a in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:1337
    #4 0x5d6a221188da in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:57246
    #5 0x5d6a221366bd in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:61634
    #6 0x5d6a21d107a6 in zend_execute_scripts /home/dcarlier/Contribs/php-src/Zend/zend.c:1895
    #7 0x5d6a21a63409 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2529
    #8 0x5d6a22516d5e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:966
    #9 0x5d6a2251981d in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1341
    #10 0x7f10d002a3b7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7f10d002a47a in __libc_start_main_impl ../csu/libc-start.c:360
    #12 0x5d6a20a06da4 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x2806da4) (BuildId: d9a79c7e0e4872311439d7313cb3a81fe04190a2)
```

close phpGH-18006
ndossche added a commit that referenced this pull request Jan 21, 2026
@ndossche
Fix NPD when i2d_PKCS12_bio is called on NULL bio
3c2c8fd 
Most functions in OpenSSL can handle NULL arguments, but apparently
i2d_PKCS12_bio not. Prevent crashes by adding a NULL check.

ASAN trace:
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==132158==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fc646e33b69 bp 0x7fff7fe53d30 sp 0x7fff7fe53d18 T0)
==132158==The signal is caused by a WRITE memory access.
==132158==Hint: address points to the zero page.
    #0 0x7fc646e33b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x7fc646e3eac2  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7fc646f126f0  (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7fc646f12aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7fc647038adf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x7fc647038bc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #6 0x55ed204f881e in zif_openssl_pkcs12_read /work/php-src/ext/openssl/openssl.c:1520
    #7 0x55ed215aa81b in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:1355
    #8 0x55ed217101a9 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116469
    #9 0x55ed217253d0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #10 0x55ed21889bcb in zend_execute_script /work/php-src/Zend/zend.c:1980
    #11 0x55ed212bc3db in php_execute_script_ex /work/php-src/main/main.c:2645
    #12 0x55ed212bc7eb in php_execute_script /work/php-src/main/main.c:2685
    #13 0x55ed2188f736 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #14 0x55ed21891d03 in main /work/php-src/sapi/cli/php_cli.c:1362
    #15 0x7fc6469c61c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x7fc6469c628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #17 0x55ed20409b54 in _start (/work/php-src/sapi/cli/php+0x609b54) (BuildId: 7ce2ce63d1ea0b60b6ee6599e1c6b5160f97af1e)
```
ndossche added a commit that referenced this pull request Jan 22, 2026
@ndossche
Fix memory leak on failure in openssl_x509_parse()
b657b55 
Only one of the two arrays (subitem) is destroyed, and critext is not.
This leads to a memory leak if the loop bails out:

```
Direct leak of 56 byte(s) in 1 object(s) allocated from:
    #0 0x7f309fe699c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x563b9709ca05 in tracked_malloc /work/php-src/Zend/zend_alloc.c:3018
    #2 0x563b9709b969 in _emalloc /work/php-src/Zend/zend_alloc.c:2780
    #3 0x563b9737dc7b in _zend_new_array /work/php-src/Zend/zend_hash.c:290
    #4 0x563b960f40fc in zif_openssl_x509_parse /work/php-src/ext/openssl/openssl.c:1120
    #5 0x563b96eb7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #6 0x563b971e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #7 0x563b97340995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #8 0x563b973558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #9 0x563b974ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #10 0x563b96eec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #11 0x563b96eecccb in php_execute_script /work/php-src/main/main.c:2685
    #12 0x563b974bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #13 0x563b974c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #14 0x7f309f1641c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #15 0x7f309f16428a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x563b96009b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 22, 2026
@ndossche
Fix negative-size-param crash when OBJ_obj2txt() fails
70e26f4 
When the function returns -1, the length passed to the string
constructor is negative:

```
==188567==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x7f36ea0305bd in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
    #1 0x559c568a05b3 in zend_string_init /work/php-src/Zend/zend_string.h:191
    #2 0x559c568b3cb7 in add_assoc_stringl_ex /work/php-src/Zend/zend_API.c:1986
    #3 0x559c559234a2 in add_assoc_stringl /work/php-src/Zend/zend_API.h:579
    #4 0x559c55928b3e in php_openssl_pkey_get_details /work/php-src/ext/openssl/openssl_backend_v3.c:671
    #5 0x559c559006d4 in zif_openssl_pkey_get_details /work/php-src/ext/openssl/openssl.c:2319
    #6 0x559c566b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #7 0x559c569e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #8 0x559c56b40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #9 0x559c56b558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #10 0x559c56cba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #11 0x559c566ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #12 0x559c566ecccb in php_execute_script /work/php-src/main/main.c:2685
    #13 0x559c56cbfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #14 0x559c56cc21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #15 0x7f36e932d1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x7f36e932d28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #17 0x559c55809b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 22, 2026
@ndossche
Fix memory leak in check_cert() when X509_STORE_CTX_init() fails
8d4e774 
ASAN report:
```
Direct leak of 272 byte(s) in 1 object(s) allocated from:
    #0 0x7f4ce970d9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f4ce8fa97c4 in CRYPTO_zalloc (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2237c4) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7f4ce910adbd in X509_STORE_CTX_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x384dbd) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x563e4a51c26c in php_openssl_check_cert /work/php-src/ext/openssl/openssl_backend_common.c:748
    #4 0x563e4a4f529c in zif_openssl_x509_checkpurpose /work/php-src/ext/openssl/openssl.c:1221
    #5 0x563e4b2b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #6 0x563e4b5e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #7 0x563e4b740995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #8 0x563e4b7558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #9 0x563e4b8ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #10 0x563e4b2ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #11 0x563e4b2ecccb in php_execute_script /work/php-src/main/main.c:2685
    #12 0x563e4b8bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #13 0x563e4b8c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #14 0x7f4ce8a081c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #15 0x7f4ce8a0828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x563e4a409b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 23, 2026
@ndossche
Fix crash in php_openssl_pkey_init_ec() when EVP_PKEY_CTX_new() fails
f9ca5e2 
Other locations of EVP_PKEY_CTX_new() pass the pointer into a function
that can handle NULL pointer inputs; OR they check for a NULL pointer.
EVP_PKEY_check() apparently cannot handle a NULL pointer argument:

```
==3749==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000088 (pc 0x7f6f4550c0fb bp 0x7ffcbff3a9c0 sp 0x7ffcbff3a9b0 T0)
==3749==The signal is caused by a READ memory access.
==3749==Hint: address points to the zero page.
    #0 0x7f6f4550c0fb in EVP_PKEY_pairwise_check (/lib/x86_64-linux-gnu/libcrypto.so.3+0x20f0fb) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x561499d27117 in php_openssl_pkey_init_ec /work/php-src/ext/openssl/openssl_backend_v3.c:459
    #2 0x561499cfe328 in zif_openssl_pkey_new /work/php-src/ext/openssl/openssl.c:2061
    #3 0x56149aab7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #4 0x56149ade024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #5 0x56149af40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #6 0x56149af558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #7 0x56149b0ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #8 0x56149aaec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #9 0x56149aaecccb in php_execute_script /work/php-src/main/main.c:2685
    #10 0x56149b0bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #11 0x56149b0c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #12 0x7f6f44f7f1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #13 0x7f6f44f7f28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #14 0x561499c09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: eb0a8e6b6d683fbdf45156dfed4d76f9110252b9)
```
ndossche added a commit that referenced this pull request Jan 23, 2026
@ndossche
Fix crash in openssl_pkey_get_details() when BIO_new() fails
b0eb644 
PEM_write_bio_PUBKEY() cannot handle a NULL argument:
```
==10779==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f426f79db69 bp 0x7fff0ec17940 sp 0x7fff0ec17928 T0)
==10779==The signal is caused by a WRITE memory access.
==10779==Hint: address points to the zero page.
    #0 0x7f426f79db69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x7f426f7a8ac2  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7f426f87c6f0  (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7f426f87caa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7f426f99dc5e in PEM_write_bio_PUBKEY (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2edc5e) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x5637ebd00530 in zif_openssl_pkey_get_details /work/php-src/ext/openssl/openssl.c:2308
    #6 0x5637ecab7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #7 0x5637ecde024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #8 0x5637ecf40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #9 0x5637ecf558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #10 0x5637ed0ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #11 0x5637ecaec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #12 0x5637ecaecccb in php_execute_script /work/php-src/main/main.c:2685
    #13 0x5637ed0bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #14 0x5637ed0c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #15 0x7f426f3321c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x7f426f33228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #17 0x5637ebc09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: eb0a8e6b6d683fbdf45156dfed4d76f9110252b9)
```
ndossche added a commit that referenced this pull request Jan 23, 2026
@ndossche
Fix crash when ASN1_STRING_to_UTF8() fails
7fb3838 
This function returns -1 on failure. Not checking this causes a segfault
if `cert_name` is still NULL, i.e. if the failure happens on the first
iteration. If the failure happens on the second iteration, we get a
use-after-free.

NULL deref example:
```
==189347==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f961f6f379d bp 0x7ffdc44afed0 sp 0x7ffdc44af658 T0)
==189347==The signal is caused by a READ memory access.
==189347==Hint: address points to the zero page.
    #0 0x7f961f6f379d  (/lib/x86_64-linux-gnu/libc.so.6+0x18b79d) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #1 0x7f9620217826 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
    #2 0x560faa92d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478
    #3 0x560faa92e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
    #4 0x560faa93565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
    #5 0x560faa939c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
    #6 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #7 0x560fab7557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
    #8 0x560faa939f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
    #9 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #10 0x560fab754655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
    #11 0x560fab75365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
    #12 0x560fab54d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
    #13 0x560fab6b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #14 0x560fab9e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #15 0x560fabb40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #16 0x560fabb558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #17 0x560fabcba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #18 0x560fab6ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #19 0x560fab6ecccb in php_execute_script /work/php-src/main/main.c:2685
    #20 0x560fabcbfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #21 0x560fabcc21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #22 0x7f961f5921c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #23 0x7f961f59228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #24 0x560faa809b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```

UAF example:
```
==190632==ERROR: AddressSanitizer: heap-use-after-free on address 0x5020000690f0 at pc 0x7fc2cdb3596f bp 0x7ffce2ed98d0 sp 0x7ffce2ed9078
READ of size 3 at 0x5020000690f0 thread T0
    #0 0x7fc2cdb3596e in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391
    #1 0x558b6eb2d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478
    #2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
    #3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
    #4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
    #5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
    #7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
    #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
    #10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
    #11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
    #12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685
    #19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #21 0x7fc2cceb01c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)

0x5020000690f0 is located 0 bytes inside of 9-byte region [0x5020000690f0,0x5020000690f9)
freed by thread T0 here:
    #0 0x7fc2cdbb44d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x558b6eb2d2fa in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:496
    #2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
    #3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
    #4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
    #5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
    #7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
    #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
    #10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
    #11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
    #12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685
    #19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #21 0x7fc2cceb01c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)

previously allocated by thread T0 here:
    #0 0x7fc2cdbb59c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fc2cd2faeab in ASN1_mbstring_ncopy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcceab) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7fc2cd2fb2e5 in ASN1_mbstring_copy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcd2e5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7fc2cd2fe2a5 in ASN1_STRING_to_UTF8 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xd02a5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x558b6eb2d0a8 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:477
    #5 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636
    #6 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893
    #7 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
    #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #9 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
    #10 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541
    #11 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #12 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
    #13 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
    #14 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158
    #15 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #16 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #17 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #18 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #19 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #20 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #21 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685
    #22 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #23 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #24 0x7fc2cceb01c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #25 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #26 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 23, 2026
@ndossche
Fix crash in openssl_digest() when EVP_MD_CTX_create() fails
211d4c7 
EVP_DigestInit() cannot handle a NULL argument:

```
==8028==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fade0826b2d bp 0x7ffcae8236f0 sp 0x7ffcae8236c0 T0)
==8028==The signal is caused by a READ memory access.
==8028==Hint: address points to the zero page.
    #0 0x7fade0826b2d  (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1e3b2d) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x5584fb314601 in zif_openssl_digest /work/php-src/ext/openssl/openssl.c:4459
    #2 0x5584fc0b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #3 0x5584fc3e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #4 0x5584fc540995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #5 0x5584fc5558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #6 0x5584fc6ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #7 0x5584fc0ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #8 0x5584fc0ecccb in php_execute_script /work/php-src/main/main.c:2685
    #9 0x5584fc6bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #10 0x5584fc6c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #11 0x7fade02c51c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #12 0x7fade02c528a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #13 0x5584fb209b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 23, 2026
@ndossche
Fix crash in openssl_pkey_export() when BIO_new() fails
6768f7f 
```
==59541==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f9fafba9b69 bp 0x7ffe3fd87700 sp 0x7ffe3fd876e8 T0)
==59541==The signal is caused by a WRITE memory access.
==59541==Hint: address points to the zero page.
    #0 0x7f9fafba9b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x7f9fafbb4ac2  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7f9fafc886f0  (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7f9fafc88aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7f9fafdaeadf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x7f9fafdaebc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #6 0x555dbe4ff75f in zif_openssl_pkey_export /work/php-src/ext/openssl/openssl.c:2216
    #7 0x555dbf2b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #8 0x555dbf5e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #9 0x555dbf740995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #10 0x555dbf7558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #11 0x555dbf8ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #12 0x555dbf2ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #13 0x555dbf2ecccb in php_execute_script /work/php-src/main/main.c:2685
    #14 0x555dbf8bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #15 0x555dbf8c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #16 0x7f9faf73e1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #17 0x7f9faf73e28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #18 0x555dbe409b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 23, 2026
@ndossche
Fix crash in openssl_pkcs12_read() when BIO_new() fails
3fbae2f 
Example ASAN report:
```
==55442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f73a6413b69 bp 0x7ffe666f6010 sp 0x7ffe666f5ff8 T0)
==55442==The signal is caused by a WRITE memory access.
==55442==Hint: address points to the zero page.
    #0 0x7f73a6413b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x7f73a641eac2  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7f73a64f26f0  (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7f73a64f2aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7f73a6618adf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x7f73a6618bc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #6 0x559b16af882b in zif_openssl_pkcs12_read /work/php-src/ext/openssl/openssl.c:1520
    #7 0x559b178b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #8 0x559b17be024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #9 0x559b17d40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #10 0x559b17d558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #11 0x559b17eba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #12 0x559b178ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #13 0x559b178ecccb in php_execute_script /work/php-src/main/main.c:2685
    #14 0x559b17ebfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #15 0x559b17ec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #16 0x7f73a5fa81c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #17 0x7f73a5fa828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #18 0x559b16a09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 24, 2026
@ndossche
Fix crash in php_openssl_create_sni_server_ctx() when SSL_CTX_new() f…
851209f 
…ails

```
==41743==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x557f134d3acf bp 0x7ffd4d5bc1f0 sp 0x7ffd4d5bb870 T0)
==41743==The signal is caused by a READ memory access.
==41743==Hint: address points to the zero page.
    #0 0x557f134d3acf in php_stream_url_wrap_http_ex /work/php-src/ext/standard/http_fopen_wrapper.c:580
    #1 0x557f134d857e in php_stream_url_wrap_http /work/php-src/ext/standard/http_fopen_wrapper.c:1204
    #2 0x557f1375073d in _php_stream_open_wrapper_ex /work/php-src/main/streams/streams.c:2270
    #3 0x557f13478fa6 in zif_file_get_contents /work/php-src/ext/standard/file.c:409
    #4 0x557f131bfe39 in zif_phar_file_get_contents /work/php-src/ext/phar/func_interceptors.c:226
    #5 0x557f136b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #6 0x557f139e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #7 0x557f13b40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #8 0x557f13b558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #9 0x557f13cba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #10 0x557f136ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #11 0x557f136ecccb in php_execute_script /work/php-src/main/main.c:2685
    #12 0x557f13cbfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #13 0x557f13cc21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #14 0x7f14599cd1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #15 0x7f14599cd28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x557f12809b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 24, 2026
@ndossche
Fix memory leaks when adding certificate to store fails
db78aec 
When certificate `cert` exists, but is not added to the store, it causes
memory leaks. The error handling was already existing but the freeing
only happened on the success case.
One could also ponder whether it is necessary to inform the user when
adding a certificate failed or signal this in some way.

Part of the leak report:
```
Direct leak of 384 byte(s) in 1 object(s) allocated from:
    #0 0x7fdbf1f9e9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fdbf183a7c4 in CRYPTO_zalloc (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2237c4) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7fdbf16f9d13  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2d13) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7fdbf16f9e19 in ASN1_item_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2e19) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7fdbf19a59f9 in X509_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x38e9f9) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x5575bcd295cb in php_openssl_pem_read_bio_x509 /work/php-src/ext/openssl/openssl_backend_v3.c:876
    #6 0x5575bcd2ef3d in php_openssl_load_stream_cafile /work/php-src/ext/openssl/xp_ssl.c:855
    #7 0x5575bcd2f4da in php_openssl_enable_peer_verification /work/php-src/ext/openssl/xp_ssl.c:912
    #8 0x5575bcd33104 in php_openssl_setup_crypto /work/php-src/ext/openssl/xp_ssl.c:1610
    #9 0x5575bcd39c18 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2512
    #10 0x5575bdb4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #11 0x5575bdb5557d in php_stream_xport_crypto_setup /work/php-src/main/streams/transports.c:367
    #12 0x5575bcd39f11 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2540
    #13 0x5575bdb4c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #14 0x5575bdb54655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248
    #15 0x5575bdb5365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145
    #16 0x5575bd8d30b1 in php_stream_url_wrap_http_ex /work/php-src/ext/standard/http_fopen_wrapper.c:490
    #17 0x5575bd8d857e in php_stream_url_wrap_http /work/php-src/ext/standard/http_fopen_wrapper.c:1204
    #18 0x5575bdb5073d in _php_stream_open_wrapper_ex /work/php-src/main/streams/streams.c:2270
    #19 0x5575bd878fa6 in zif_file_get_contents /work/php-src/ext/standard/file.c:409
    #20 0x5575bd5bfe39 in zif_phar_file_get_contents /work/php-src/ext/phar/func_interceptors.c:226
    #21 0x5575bdab7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #22 0x5575bdde024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #23 0x5575bdf40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #24 0x5575bdf558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #25 0x5575be0ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #26 0x5575bdaec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #27 0x5575bdaecccb in php_execute_script /work/php-src/main/main.c:2685
    #28 0x5575be0bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #29 0x5575be0c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362

... etc ...
```
ndossche added a commit that referenced this pull request Jan 24, 2026
@ndossche
Fix NULL deref when enabling TLS fails and the peer name needs to be …
008e841 
…reset

The code tries to read the context on NULL when
`php_stream_xport_crypto_setup` fails because by then `stream` is reset
to NULL.
This is also UB, so can cause miscompiles.

```
==1217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x55d829ed3acf bp 0x7fff045f5770 sp 0x7fff045f4df0 T0)
==1217==The signal is caused by a READ memory access.
==1217==Hint: address points to the zero page.
    #0 0x55d829ed3acf in php_stream_url_wrap_http_ex /work/php-src/ext/standard/http_fopen_wrapper.c:580
    #1 0x55d829ed857e in php_stream_url_wrap_http /work/php-src/ext/standard/http_fopen_wrapper.c:1204
    #2 0x55d82a15073d in _php_stream_open_wrapper_ex /work/php-src/main/streams/streams.c:2270
    #3 0x55d829e78fa6 in zif_file_get_contents /work/php-src/ext/standard/file.c:409
    #4 0x55d829bbfe39 in zif_phar_file_get_contents /work/php-src/ext/phar/func_interceptors.c:226
    #5 0x55d82a0b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #6 0x55d82a3e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #7 0x55d82a540995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #8 0x55d82a5558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #9 0x55d82a6ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #10 0x55d82a0ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #11 0x55d82a0ecccb in php_execute_script /work/php-src/main/main.c:2685
    #12 0x55d82a6bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #13 0x55d82a6c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #14 0x7f9e770491c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #15 0x7f9e7704928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x55d829209b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
ndossche added a commit that referenced this pull request Jan 25, 2026
@ndossche
Fix memory leaks and missing error propagation when php_openssl_csr_m…
d5c0950 
…ake() fails to set a version

The leaks appears to be at least somewhat dependent on the OpenSSL version,
but it is reproducible on an Ubuntu 24.04 container.

Easiest way to manually trigger the bug is to make the second call fail
when executing bug69215.phpt:

```diff
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 12383ac..6721d841d16 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -2957,7 +2957,9 @@ static zend_result php_openssl_csr_make(struct php_x509_request * req, X509_REQ
 		}
 	}
 	/* setup the version number: version 1 */
-	if (X509_REQ_set_version(csr, 0L)) {
+	static int counter = 0;
+	counter++;
+	if (counter!=2&&X509_REQ_set_version(csr, 0L)) {
 		int i, nid;
 		char *type;
 		CONF_VALUE *v;

```

ASAN report:
```
Direct leak of 384 byte(s) in 1 object(s) allocated from:
    #0 0x7fd75dcb19c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fd75d54d7c4 in CRYPTO_zalloc (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2237c4) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7fd75d40cd13  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2d13) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7fd75d40ce19 in ASN1_item_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0xe2e19) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7fd75d6b89f9 in X509_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x38e9f9) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x7fd75d8bdb9d  (/lib/x86_64-linux-gnu/libssl.so.3+0x7eb9d) (BuildId: 5f3b12d47114f9fbdc7765266cd0bb8f1b5ee8fc)
    #6 0x7fd75d8a825d  (/lib/x86_64-linux-gnu/libssl.so.3+0x6925d) (BuildId: 5f3b12d47114f9fbdc7765266cd0bb8f1b5ee8fc)
    #7 0x5630a25351d9 in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1850
    #8 0x5630a2539c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516
    #9 0x5630a334c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #10 0x5630a33557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387
    #11 0x5630a25387be in php_openssl_tcp_sockop_accept /work/php-src/ext/openssl/xp_ssl.c:2279
    #12 0x5630a2539fcd in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2551
    #13 0x5630a334c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466
    #14 0x5630a3354d3a in php_stream_xport_accept /work/php-src/main/streams/transports.c:307
    #15 0x5630a3150161 in zif_stream_socket_accept /work/php-src/ext/standard/streamsfuncs.c:298
    #16 0x5630a35dacfb in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:1355
    #17 0x5630a3740689 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116469
    #18 0x5630a37558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #19 0x5630a38ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #20 0x5630a32ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #21 0x5630a32ecccb in php_execute_script /work/php-src/main/main.c:2685
    #22 0x5630a38bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #23 0x5630a38c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #24 0x7fd75cfac1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #25 0x7fd75cfac28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #26 0x5630a2409b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)

... etc ...
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ndossche