|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-03-23 01:57 UTC] felipe@php.net
[2011-03-23 01:58 UTC] felipe@php.net
-Summary: Crash in php_pcre_replace_impl
+Summary: Invalid read in RegexIterator::accept() causes crash
[2011-09-12 11:46 UTC] bjori@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: bjori
[2011-09-12 11:46 UTC] bjori@php.net
[2011-09-12 12:09 UTC] pajoye@php.net
-Status: Closed
+Status: Re-Opened
[2011-09-12 12:09 UTC] pajoye@php.net
[2011-09-12 13:04 UTC] pajoye@php.net
-Assigned To: bjori
+Assigned To: pajoye
[2011-09-12 13:04 UTC] pajoye@php.net
[2011-09-12 13:22 UTC] bjori@php.net
-Status: Re-Opened
+Status: Closed
[2011-09-12 13:22 UTC] bjori@php.net
[2011-09-12 17:20 UTC] bjori@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 16:00:01 2025 UTC |
Description: ------------ The attached code crashes on PHP 5.3 and trunk. It seems particularly dangerous because the address where the invalid read happens is directly assignable. I didn't have more time to look into this but it might be possible to do arbitrary memory reading with this vulnerability. Test script: --------------- <?php class foo extends ArrayIterator { public function __construct( ) { parent::__construct(array( 'test3'=>'test999')); } } $h = new foo; $i = new RegexIterator($h, '/^test(.*)/', RegexIterator::REPLACE); $i->replacement = 3735928559; // 0xdeadbeef foreach ($i as $name=>$value) { } ?> Actual result: -------------- ==22309== Invalid read of size 1 ==22309== at 0x497700: php_pcre_replace_impl (php_pcre.c:1088) ==22309== by 0x62E77E: zim_spl_RegexIterator_accept (spl_iterators.c:1919) ==22309== by 0x7C3A40: zend_call_function (zend_execute_API.c:986) ==22309== by 0x7EF6A1: zend_call_method (zend_interfaces.c:97) ==22309== by 0x62DD39: spl_filter_it_fetch (spl_iterators.c:1724) ==22309== by 0x62DE07: spl_filter_it_rewind (spl_iterators.c:1743) ==22309== by 0x62DE96: zim_spl_FilterIterator_rewind (spl_iterators.c:1763) ==22309== by 0x7C3A40: zend_call_function (zend_execute_API.c:986) ==22309== by 0x7EF6A1: zend_call_method (zend_interfaces.c:97) ==22309== by 0x7EFCFF: zend_user_it_rewind (zend_interfaces.c:261) ==22309== by 0x88CBE0: ZEND_FE_RESET_SPEC_CV_HANDLER (zend_vm_execute.h:22724) ==22309== by 0x80693D: execute (zend_vm_execute.h:107) ==22309== Address 0xdeadbeef is not stack'd, malloc'd or (recently) free'd ==22309== ==22309== ==22309== Process terminating with default action of signal 11 (SIGSEGV) ==22309== Access not within mapped region at address 0xDEADBEEF