PHP :: Bug #72164 :: Null Pointer Dereference

Bug #72164	Null Pointer Dereference - mb_ereg_replace
Submitted:	2016-05-05 08:39 UTC	Modified:	2016-05-05 08:44 UTC
From:	shm@php.net	Assigned:
Status:	Closed	Package:	mbstring related
PHP Version:	7.0.6	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-05-05 08:39 UTC] shm@php.net

Description:
------------
mb_ereg_replace causes Null pointer dereference in _php_mb_regex_ereg_replace_exec function. eval_buf can be derefered in case when eval option is turned on and pattern is empty.

Test script:
---------------
<?php
$var0 = "e";
$var2 = "";
$var8 = mbereg_replace($var2,$_,$_,$var0);

Expected result:
----------------
Null pointer is not derefered

Actual result:
--------------
$ ./php mbereg_replace.php 
ASAN:SIGSEGV
=================================================================
==906== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x000000a29c5a sp 0x7ffffafed520 bp 0x7ffffafedb70 T0)
AddressSanitizer can not provide additional info.
    #0 0xa29c59 in _php_mb_regex_ereg_replace_exec /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:941
    #1 0xa2a949 in zif_mb_ereg_replace /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:1029
    #2 0x101ced6 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #3 0x101bf4f in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #4 0x101c1aa in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #5 0xf31538 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #6 0xdc0d02 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #7 0x1148111 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #8 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #9 0x7f6c245b1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
SUMMARY: AddressSanitizer: SEGV /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:941 _php_mb_regex_ereg_replace_exec
==906== ABORTING
Aborted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-05-05 08:44 UTC] shm@php.net

-Summary: Null Pointer Dereference +Summary: Null Pointer Dereference - mb_ereg_replace

[2016-05-05 09:28 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=395863b1d1798100b51c4c8be6e88d574e1a1bf1
Log: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)

[2016-05-05 09:28 UTC] laruence@php.net

-Status: Open +Status: Closed

[2016-07-20 11:31 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=395863b1d1798100b51c4c8be6e88d574e1a1bf1
Log: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 21:00:02 2025 UTC