|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-06-23 09:22 UTC] emmanuel dot law at gmail dot com
-PHP Version: 5.6.9
+PHP Version: 5.6.9, 5.6.10
[2015-06-23 09:22 UTC] emmanuel dot law at gmail dot com
[2015-09-29 00:01 UTC] stas@php.net
[2015-09-29 00:01 UTC] stas@php.net
-Status: Open
+Status: Closed
[2015-09-29 00:01 UTC] stas@php.net
[2015-09-29 03:46 UTC] stas@php.net
[2015-09-29 13:10 UTC] ab@php.net
[2015-10-05 02:03 UTC] emmanuel dot law at gmail dot com
[2015-10-11 10:53 UTC] kaplan@php.net
-Assigned To:
+Assigned To: kaplan
-CVE-ID:
+CVE-ID: 2015-7803
[2016-04-18 09:30 UTC] bwoebi@php.net
[2016-07-20 11:36 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Description: ------------ If a Tar entry has the Link indicator set and points to an nonexisting file, phar_get_link_source() returns a NULL value phar/util.c:69: if (SUCCESS == zend_hash_find(&(entry->phar->manifest), entry->link, strlen(entry->link), (void **)&link_entry) || SUCCESS == zend_hash_find(&(entry->phar->manifest), link, strlen(link), (void **)&link_entry)) { ....... }else { ....... return NULL; } The NULL value gets passed into phar_get_fp_offset() at util.c:497: (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC); The NULL pointer dereference occurs in phar_internal.h:444 where entry is NULL : if (!entry->is_persistent) This causes PHP to seg fault. Proof Of Concept: ./php readphar.php Null_ptr_deref_in_phar_get_fp_offset.tar.phar Segmentation fault POC can be found here: https://www.dropbox.com/s/6hks64dopgcco9f/POC_Null_ptr_deref_in_phar_get_fp_offset.zip?dl=0 Actual result: -------------- gdb-peda$ bt #0 0x0000000000900df2 in phar_get_fp_offset (entry=0x0) at /home/elaw/php-5.6.8_patched_phar/ext/phar/phar_internal.h:444 #1 0x0000000000904460 in phar_get_entry_data (ret=0x7fffffff9570, fname=0x7ffff7f79bc8 "/home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar", fname_len=0x40, path=0x7ffff7f77c80 "test.php", path_len=0x8, mode=0x155dd40 "r", allow_dir=0x0, error=0x7fffffff95b0, security=0x0) at /home/elaw/php-5.6.8_patched_phar/ext/phar/util.c:497 #2 0x000000000092de69 in phar_wrapper_open_url ( wrapper=0x1a0bb40 <php_stream_phar_wrapper>, path=0x7ffff7f79d50 "phar:///home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar/test.php", mode=0x15b7d60 "rb", options=0x0, opened_path=0x0, context=0x7ffff7f72e78) at /home/elaw/php-5.6.8_patched_phar/ext/phar/stream.c:286 #3 0x0000000000cf3926 in _php_stream_open_wrapper_ex ( path=0x7ffff7f79d50 "phar:///home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar/test.php", mode=0x15b7d60 "rb", options=0x8, opened_path=0x0, context=0x7ffff7f72e78) at /home/elaw/php-5.6.8_patched_phar/main/streams/streams.c:2064 #4 0x0000000000b0491e in zif_file_get_contents (ht=0x1, return_value=0x7ffff7f79d20, return_value_ptr=0x7ffff7f3c980, this_ptr=0x0, return_value_used=0x1) at /home/elaw/php-5.6.8_patched_phar/ext/standard/file.c:548 #5 0x00000000009353e2 in phar_file_get_contents (ht=0x1, return_value=0x7ffff7f79d20, return_value_ptr=0x7ffff7f3c980, this_ptr=0x0, return_value_used=0x1) at /home/elaw/php-5.6.8_patched_phar/ext/phar/func_interceptors.c:225 #6 0x0000000000eeaeec in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f3cc18) at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:558 #7 0x0000000000f0441e in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f3cc18) at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:2599 #8 0x0000000000ee63d4 in execute_ex (execute_data=0x7ffff7f3cc18) at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:363 #9 0x0000000000ee7d7c in zend_execute (op_array=0x7ffff7f70d00) at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:388 #10 0x0000000000e1e55b in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/elaw/php-5.6.8_patched_phar/Zend/zend.c:1341 #11 0x0000000000ca9dec in php_execute_script (primary_file=0x7fffffffcd10) at /home/elaw/php-5.6.8_patched_phar/main/main.c:2597 #12 0x0000000001190280 in do_cli (argc=0x5, argv=0x60400000ded0) at /home/elaw/php-5.6.8_patched_phar/sapi/cli/php_cli.c:994 #13 0x0000000001192ee7 in main (argc=0x5, argv=0x60400000ded0) at /home/elaw/php-5.6.8_patched_phar/sapi/cli/php_cli.c:1378 #14 0x00007ffff4b0db45 in __libc_start_main (main=0x1191984 <main>, argc=0x5, argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at libc-start.c:287 #15 0x0000000000428d79 in _start ()