PHP :: Bug #68839 :: Explicit null pointer dereference

Bug #68839	Explicit null pointer dereference
Submitted:	2015-01-15 16:19 UTC	Modified:	2015-01-20 19:51 UTC
From:	bugreports at internot dot info	Assigned:	stas (profile)
Status:	Closed	Package:	PHAR related
PHP Version:	master-Git-2015-01-15 (Git)	OS:	Linux Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	bugreports at internot dot info
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-01-15 16:19 UTC] bugreports at internot dot info

Description:
------------
Hi,

The bug itself is in /ext/phar/zip.c, but I'll add the code that I used to find it:


In /ext/phar/phar.c:


2524                return phar_zip_flush(phar, user_stub, len, convert, error);


'error' is NULL at that point, since:
2513        if (error) {
2514                *error = NULL;
2515        }


phar_zip_flush correctly checks for NULL in most places:

1206                if (error) {
1207                        spprintf(error, 0, "internal error: attempt to flush cached zip-based phar \"%s\"", phar->fname);
1208                }

1224                        if (error) {
1225                                spprintf(error, 0, "unable to set alias in zip-based phar \"%s\"", phar->fname);
1226                        }
1227                        return EOF;

etc.

But it does not check for NULL on an unwritable tmp file:

1219                if (entry.fp == NULL) {
1220                        spprintf(error, 0, "phar error: unable to create temporary file");
1221                        return EOF;
1222                }




I will be  submitting a a patch for this in a moment, to internals@php.


Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-01-15 17:10 UTC] tony2001@php.net

-Type: Security +Type: Bug

[2015-01-16 08:21 UTC] bugreports at internot dot info

https://github.com/MegaManSec/php-src/commit/7df256e25f778a680f1b7e28c5e6cf4d85ecc0dc
pull request submitted

[2015-01-20 19:51 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2015-01-20 19:51 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 21:00:02 2025 UTC