PHP :: Bug #75002 :: Null Pointer Dereference in timelib_time

Bug #75002

Null Pointer Dereference in timelib_time_clone

Submitted:

2017-07-28 10:08 UTC

Modified:

2017-07-30 19:41 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

zhihua dot yao at dbappsecurity dot com dot cn

Assigned:

Status:

Closed

Package:

SPL related

PHP Version:

5.6.31, 7.1.7

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2017-07-28 10:08 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Description:
------------
Since the argument origts to 0, the null pointer is interpreted.

Test script:
---------------
<?php

class aaa extends DatePeriod {
   
	public function __construct() { }
}

$start=new DateTime( '2012-08-01' );

foreach (new aaa($start) as $y){

 $a=$key;

}


Expected result:
----------------
no crash

Actual result:
--------------
root@ubuntu:/home/hjy/Desktop# ./php-7.1.7/sapi/cli/php poc.php 
ASAN:SIGSEGV
=================================================================
==6186==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x081c3fb7 sp 0xbfde97f0 bp 0xbfde9818 T0)
    #0 0x81c3fb6 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:51
    #1 0x81c3fb6 in timelib_time_clone /home/hjy/Desktop/php-7.1.7/ext/date/lib/timelib.c:58
    #2 0x80be985 in date_period_it_rewind /home/hjy/Desktop/php-7.1.7/ext/date/php_date.c:1947
    #3 0xa12536a in ZEND_FE_RESET_R_SPEC_VAR_HANDLER /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:16525
    #4 0x9f38f6f in execute_ex /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
    #5 0xa34f88b in zend_execute /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
    #6 0x9c69108 in zend_execute_scripts /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
    #7 0x98eb275 in php_execute_script /home/hjy/Desktop/php-7.1.7/main/main.c:2537
    #8 0xa35f295 in do_cli /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
    #9 0x80a8ceb in main /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
    #10 0xb6bdca82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #11 0x80a995f (/home/hjy/Desktop/php-7.1.7/sapi/cli/php+0x80a995f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/i386-linux-gnu/bits/string3.h:51 memcpy
==6186==ABORTING

Patches

date-period-ctor-75002.txt.diff (last revision 2017-07-28 11:40 UTC by derick@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-28 10:44 UTC] derick@php.net

-PHP Version: 7.1.7 +PHP Version: 5.6.31, 7.1.7

[2017-07-28 10:44 UTC] derick@php.net

DatePeriod, wrapping internal structures, should not be extendable. In any case, I can reproduce this and I'm looking at a fix right now.

[2017-07-28 11:40 UTC] derick@php.net

The following patch has been added/updated:

Patch Name: date-period-ctor-75002.txt.diff
Revision:   1501242055
URL:        https://bugs.php.net/patch-display.php?bug=75002&patch=date-period-ctor-75002.txt.diff&revision=1501242055

[2017-07-30 19:41 UTC] stas@php.net

-Type: Security +Type: Bug

[2017-08-02 14:43 UTC] ab@php.net

Automatic comment on behalf of derick
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b112d09013088e73676eee77f04a906d15fbd1a7
Log: Fixed bug #75002 Null Pointer Dereference in timelib_time_clone

[2017-08-02 14:43 UTC] ab@php.net

-Status: Open +Status: Closed

[2020-02-26 23:27 UTC] cmb@php.net

Related To: Bug #54401

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 22:00:01 2025 UTC