PHP :: Bug #71752 :: Several places in Zend code where invalid pointers can be dereferenced

Bug #71752	Several places in Zend code where invalid pointers can be dereferenced
Submitted:	2016-03-09 11:25 UTC	Modified:	2018-11-23 09:22 UTC
From:	dragondreamer at live dot com	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	7.0.4	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-03-09 11:25 UTC] dragondreamer at live dot com

Description:
------------
There're several places in Zend code where invalid (zero) pointers can be dereferenced.


1. zend_execute_API.c, zend_call_function function:

if (error) {
	zend_error(E_WARNING, "Invalid callback %s, %s", ZSTR_VAL(callable_name), error); // <-- Access to callable_name->val
	efree(error);
}
if (callable_name) { // <-- later check if callable_name is not NULL
	zend_string_release(callable_name);
}



2. zend_execute_API.c, zend_call_function function (again):

if (func->common.fn_flags & ZEND_ACC_ABSTRACT) {
	zend_throw_error(NULL, "Cannot call abstract method %s::%s()", ZSTR_VAL(func->common.scope->name), ZSTR_VAL(func->common.function_name)); // <-- Access to func->common.scope->name
	return FAILURE;
}
if (func->common.fn_flags & ZEND_ACC_DEPRECATED) {
	zend_error(E_DEPRECATED, "Function %s%s%s() is deprecated",
		func->common.scope ? ZSTR_VAL(func->common.scope->name) : "", // <-- Later check if func->common.scope is not NULL
		func->common.scope ? "::" : "",
		ZSTR_VAL(func->common.function_name));
}



3. zend_virtual_cwd.c, realpath_cache_key function:

const char *e = bucket_key + strlen(bucket_key); // <-- Access to bucket_key buffer

if (!bucket_key) { // <-- Later check if bucket_key is not NULL
	return 0;
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-10 07:03 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5f71b0b125c89211e5a2a6d925deba938abd41
Log: tsrm_win32_get_path_sid_key might returns NULL (Partially fix bug #71752)

[2016-03-10 07:03 UTC] laruence@php.net

-Status: Open +Status: Closed

[2016-03-10 08:36 UTC] ab@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67f0770036f866f6f0dadc044cdc8f94a5b9f030
Log: tsrm_win32_get_path_sid_key might returns NULL (Partially fix bug #71752)

[2016-07-20 11:33 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5f71b0b125c89211e5a2a6d925deba938abd41
Log: tsrm_win32_get_path_sid_key might returns NULL (Partially fix bug #71752)

[2018-11-23 09:22 UTC] dragondreamer at live dot com

-: temp at temp dot ru +: dragondreamer at live dot com

[2018-11-23 09:22 UTC] dragondreamer at live dot com

Edit e-mail address

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Dec 17 11:00:01 2025 UTC