[wp-trac] [WordPress Trac] #44532: Extreme memory leak related to wp_is_stream in wp-includes/functions.php in WordPress 4.9.7

WordPress Trac noreply at wordpress.org
Sun Jul 22 11:43:15 UTC 2018


#44532: Extreme memory leak related to wp_is_stream in wp-includes/functions.php in
WordPress 4.9.7
------------------------------------------+---------------------
 Reporter:  timbowesohft                  |       Owner:  pento
     Type:  defect (bug)                  |      Status:  closed
 Priority:  high                          |   Milestone:  4.9.8
Component:  Media                         |     Version:  4.9.7
 Severity:  major                         |  Resolution:  fixed
 Keywords:  has-patch commit fixed-major  |     Focuses:
------------------------------------------+---------------------

Comment (by pento):

 Replying to [comment:42 tristanleboss]:
 > If the problem comes from the repeated call to `stream_get_wrappers`,
 why don't we cache the output of this function in a function static
 variable? I mean it's not supposed to change during the same request.

 I don't think this would help a huge amount, and has the potential to
 introduce other weird behaviour, and potentially security issues. For
 example, say you were to cache the output of `stream_get_wrappers()` that
 included a corrupt wrapper name. If it were a shorter bit of memory that
 it was reading from, then `wp_is_stream()` could be called a bunch of
 times, and return correctly (assuming it wasn't a stream we were trying to
 use that was being checked in those calls: if it was, then the function
 would be returning that we're unable to read from a stream that we can
 read from).

 However, the memory that the corrupt wrapper name is pointing at could be
 deallocated at any time, and then allocated to something else: now we have
 a lump of memory that could potentially even be used by something outside
 the PHP process, and we're reading from it. This will often cause the PHP
 process to be terminated (modern OSes protect against processes reading
 outside of their allocated memory), but otherwise may cause strange
 information exposure issues.

 > Hello @SergeyBiryukov Sorry if my question seems "crazy" but why
 @timbowesohft isn't in the props list? He pointed this bug here and
 finally will be patched.

 Thanks for noticing that, @sebastienserre! That was my mistake, I
 should've included him on the props list. We'll make sure he's given props
 in the 4.9.8 release post. 🙂

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44532#comment:57>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list