php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77844 Crash due to null pointer in parse_ini_string with INI_SCANNER_TYPED
Submitted: 2019-04-04 10:39 UTC Modified: 2019-04-08 08:55 UTC
From: hanno at hboeck dot de Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 7.2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2019-04-04 10:39 UTC] hanno at hboeck dot de
Description:
------------
The example command will cause a segfault.

With ASAN I get this stack trace, indicating a null pointer access:

==1102==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f0cdd59b756 bp 0x7ffed002f990 sp 0x7ffed002f7f0 T0)
==1102==The signal is caused by a READ memory access.
==1102==Hint: address points to the zero page.
    #0 0x7f0cdd59b755  (/lib64/libc.so.6+0x3e755)
    #1 0x4bd858 in __interceptor_strtol (/r/php/php+0x4bd858)
    #2 0x177eb4c in atoi /usr/include/stdlib.h:363:16
    #3 0x177eb4c in zend_ini_do_op /f/php-7.3.3/Zend/zend_ini_parser.c:132
    #4 0x177ae78 in ini_parse /f/php-7.3.3/Zend/zend_ini_parser.c:1859:7
    #5 0x177defd in zend_parse_ini_string /f/php-7.3.3/Zend/zend_ini_parser.c:336:11
    #6 0x14a8294 in zif_parse_ini_string /f/php-7.3.3/ext/standard/basic_functions.c:6129:6
    #7 0x1bbc5a8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php-7.3.3/Zend/zend_vm_execute.h:690:2
    #8 0x19ef40c in execute_ex /f/php-7.3.3/Zend/zend_vm_execute.h:55334:7
    #9 0x19efcdf in zend_execute /f/php-7.3.3/Zend/zend_vm_execute.h:60881:2
    #10 0x183f138 in zend_eval_stringl /f/php-7.3.3/Zend/zend_execute_API.c:1018:4
    #11 0x183f85f in zend_eval_stringl_ex /f/php-7.3.3/Zend/zend_execute_API.c:1059:11
    #12 0x183f85f in zend_eval_string_ex /f/php-7.3.3/Zend/zend_execute_API.c:1070
    #13 0x1cc51c8 in do_cli /f/php-7.3.3/sapi/cli/php_cli.c:1030:8
    #14 0x1cc23e2 in main /f/php-7.3.3/sapi/cli/php_cli.c:1392:18
    #15 0x7f0cdd5814fa in __libc_start_main (/lib64/libc.so.6+0x244fa)
    #16 0x424419 in _start (/r/php/php+0x424419)


Test script:
---------------
php -r 'parse_ini_string("0=.0&0", TRUE, INI_SCANNER_TYPED);'


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-08 08:52 UTC] nikic@php.net
-Summary: Crass due to null pointer in parse_ini_string with INI_SCANNER_TYPED +Summary: Crash due to null pointer in parse_ini_string with INI_SCANNER_TYPED -Status: Open +Status: Verified -PHP Version: 7.3.3 +PHP Version: 7.2
 [2019-04-08 08:52 UTC] nikic@php.net
Also segfaults on PHP 7.2.
 [2019-04-08 08:55 UTC] nikic@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic
 [2019-04-08 09:13 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eea61cda7df1466a1f40a17c21b65901c1c68ce0
Log: Fixed bug #77844
 [2019-04-08 09:13 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 20:01:28 2024 UTC