php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73532 Null pointer dereference in mb_eregi
Submitted: 2016-11-16 02:19 UTC Modified: 2016-11-16 03:49 UTC
From: marceloje at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.1Git-2016-11-16 (Git) OS: Linux x86_64
Private report: No CVE-ID: None
 [2016-11-16 02:19 UTC] marceloje at gmail dot com
Description:
------------
Invalid multibyte strings cause zval null pointer in "_zval_ptr_dtor_nogc", through "mb_eregi"function.

This happens in PHP 7.1 (PHP 7.0 not crashes).


Source code:
https://github.com/php/php-src/blob/PHP-7.1/Zend/zend_variables.h#L39

static zend_always_inline void _zval_ptr_dtor_nogc(zval *zval_ptr ZEND_FILE_LINE_DC)
{
        if (Z_REFCOUNTED_P(zval_ptr) && !Z_DELREF_P(zval_ptr)) {
                _zval_dtor_func(Z_COUNTED_P(zval_ptr) ZEND_FILE_LINE_RELAY_CC);
        }
}

Test script:
---------------
poc.php

<?php

mb_eregi("a", "\xf5");

Expected result:
----------------
Not crash

Actual result:
--------------
ASan output:

ASAN:SIGSEGV
=================================================================
==7892==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x0000008bc4d2 bp 0x7fff53c82cc0 sp 0x7fff53c82ca0 T0)
    #0 0x8bc4d1 in _zval_ptr_dtor_nogc /home/operac/build6/php-src/Zend/zend_variables.h:39
    #1 0x8be82a in _php_mb_regex_ereg_exec /home/operac/build6/php-src/ext/mbstring/php_mbregex.c:711
    #2 0x8bf19a in zif_mb_eregi /home/operac/build6/php-src/ext/mbstring/php_mbregex.c:795
    #3 0xf42e39 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/operac/build6/php-src/Zend/zend_vm_execute.h:628
    #4 0xf41bb8 in execute_ex /home/operac/build6/php-src/Zend/zend_vm_execute.h:429
    #5 0xf41e33 in zend_execute /home/operac/build6/php-src/Zend/zend_vm_execute.h:474
    #6 0xe5bc28 in zend_execute_scripts /home/operac/build6/php-src/Zend/zend.c:1464
    #7 0xd16ba3 in php_execute_script /home/operac/build6/php-src/main/main.c:2533
    #8 0x10c8e6a in do_cli /home/operac/build6/php-src/sapi/cli/php_cli.c:990
    #9 0x10cac87 in main /home/operac/build6/php-src/sapi/cli/php_cli.c:1378
    #10 0x7f3b14ea982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x431e88 in _start (/home/operac/build6/bin/php+0x431e88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/operac/build6/php-src/Zend/zend_variables.h:39 _zval_ptr_dtor_nogc

-------------------------------------

GDB output:

gdb -q --args /home/operac/build6/bin/php -n poc.php
Reading symbols from /home/operac/build6/bin/php...done.
(gdb) r
Starting program: /home/operac/build6/bin/php -n poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000008bc4d2 in _zval_ptr_dtor_nogc (zval_ptr=0x0, __zend_filename=0x1679360 "/home/operac/build6/php-src/ext/mbstring/php_mbregex.c", __zend_lineno=711) at /home/operac/build6/php-src/Zend/zend_variables.h:39
39              if (Z_REFCOUNTED_P(zval_ptr) && !Z_DELREF_P(zval_ptr)) {


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-16 03:49 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-11-16 03:49 UTC] stas@php.net
Not released version, no need to hide.
 [2016-11-16 07:13 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=229024c7250d0a11fe9a83094a7e30b6fb83ad90
Log: Fixed bug #73532 (Null pointer dereference in mb_eregi)
 [2016-11-16 07:13 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-11-16 07:14 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=229024c7250d0a11fe9a83094a7e30b6fb83ad90
Log: Fixed bug #73532 (Null pointer dereference in mb_eregi)
 [2016-11-22 13:14 UTC] krakjoe@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=229024c7250d0a11fe9a83094a7e30b6fb83ad90
Log: Fixed bug #73532 (Null pointer dereference in mb_eregi)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 04:01:31 2024 UTC