php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73181 parse_str() without a second argument leads to crash
Submitted: 2016-09-27 11:14 UTC Modified: 2016-09-27 17:38 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: lbarnaud@php.net Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0.11 OS:
Private report: No CVE-ID: None
 [2016-09-27 11:14 UTC] lbarnaud@php.net
Description:
------------
Calling parse_str() without a second argument can create variables with numeric names in the current scope.

zend_symtable_clean() didn't plan for this, and it considers that all elements in the scope's hashtable have a string key.

This causes a crash when zend_symtable_clean() tries to release keys:

    zend_string_release(p->key);

p->key is NULL, and zend_string_release() tries to access memory at address 0x5.

I can reproduce with all versions of php since 7.0: https://3v4l.org/3lNAH

The extract() function seems to avoid this by not extracting numerically-named variables.

Test script:
---------------
<?php

function x() {
    parse_str("1&x");
}

x();

Expected result:
----------------
No crash

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000000009f8adb in zend_string_release (s=0x0) at /opt/php-7.0.11/Zend/zend_string.h:269
269		if (!ZSTR_IS_INTERNED(s)) {
(gdb) bt
#0  0x00000000009f8adb in zend_string_release (s=0x0) at /opt/php-7.0.11/Zend/zend_string.h:269
#1  0x00000000009fd33b in zend_symtable_clean (ht=0x3695be0) at /opt/php-7.0.11/Zend/zend_hash.c:1450
#2  0x0000000000a41d65 in zend_clean_and_cache_symbol_table (symbol_table=0x3695be0) at /opt/php-7.0.11/Zend/zend_execute.c:2055
#3  0x0000000000a43594 in zend_leave_helper_SPEC () at /opt/php-7.0.11/Zend/zend_vm_execute.h:472
#4  0x0000000000a4a619 in ZEND_RETURN_SPEC_CONST_HANDLER () at /opt/php-7.0.11/Zend/zend_vm_execute.h:3100
#5  0x0000000000a43412 in execute_ex (ex=0x7ffff7f26a50) at /opt/php-7.0.11/Zend/zend_vm_execute.h:414
#6  0x00000000009d0ff7 in zend_call_function (fci=0x7fffffffaa70, fci_cache=0x7fffffffaa40) at /opt/php-7.0.11/Zend/zend_execute_API.c:866
#7  0x0000000000853722 in zif_call_user_func_array (execute_data=0x7ffff7f269d0, return_value=0x7ffff7f26950)
    at /opt/php-7.0.11/ext/standard/basic_functions.c:4815
#8  0x0000000000a43f93 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.11/Zend/zend_vm_execute.h:714
#9  0x0000000000a43412 in execute_ex (ex=0x7ffff7f24040) at /opt/php-7.0.11/Zend/zend_vm_execute.h:414
#10 0x0000000000a43527 in zend_execute (op_array=0x15e18a0, return_value=0x0) at /opt/php-7.0.11/Zend/zend_vm_execute.h:458
#11 0x00000000009e8733 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-7.0.11/Zend/zend.c:1427
#12 0x000000000095ae0b in php_execute_script (primary_file=0x7fffffffe200) at /opt/php-7.0.11/main/main.c:2494
#13 0x0000000000aa83e5 in do_cli (argc=12, argv=0x13f9ca0) at /opt/php-7.0.11/sapi/cli/php_cli.c:974
#14 0x0000000000aa9389 in main (argc=12, argv=0x13f9ca0) at /opt/php-7.0.11/sapi/cli/php_cli.c:1344
(gdb) frame 1
#1  0x00000000009fd33b in zend_symtable_clean (ht=0x3695be0) at /opt/php-7.0.11/Zend/zend_hash.c:1450
1450					zend_string_release(p->key);
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-27 12:08 UTC] ajf@php.net
> zend_symtable_clean() didn't plan for this, and it considers that all elements in the scope's hashtable have a string key.

This begs the question of why it is called "zend_symtable_clean()", then. The zend_symtable_* APIs are distinguished by their special handling of integer and numeric keys.
 [2016-09-27 17:38 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2016-09-27 17:49 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b7cbaa7f43d8a584e273e214209a4f7406a30029
Log: Fix bug #73181
 [2016-09-27 17:49 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b7cbaa7f43d8a584e273e214209a4f7406a30029
Log: Fix bug #73181
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 04:01:31 2024 UTC