php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #68545 NULL pointer dereference in unserialize.c:var_push_dtor
Submitted: 2014-12-03 23:10 UTC Modified: 2014-12-11 20:15 UTC
From: charlie at ceriksen dot com Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.3 OS: Ubuntu 2.6.32/Debian 3.7
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: charlie at ceriksen dot com
New email:
PHP Version: OS:

 

 [2014-12-03 23:10 UTC] charlie at ceriksen dot com 
Description:
------------
There's a NULL pointer deference issue in the var_push_dtor function in unserialize.c.

By running the test script, you'll get following segfault:
Program received signal SIGSEGV, Segmentation fault.
var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb858) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
62              var_entries *var_hash = (*var_hashx)->last_dtor;


According to 3v4l.org, it crashes on following versions(http://3v4l.org/BtYZg):
4.3.10 - 4.4.9, 5.0.3 - 5.6.3, php7@20140507 - 20141101:



Test script:
---------------
<?php 
echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";'); 
?>


Expected result:
----------------
The interpreter shouldn't crash.

Actual result:
--------------
(gdb) bt
#0  var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb7d0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62
#1  0x00000000004481af in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0, ht=0x7ffff7fdb700, elements=4, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:329
#2  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#3  0x0000000000447436 in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90, ht=0x7ffff7fdb678, elements=5, objprops=0, rval=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:297
#4  0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815
#5  0x0000000000f9884a in zif_unserialize (ht=<optimized out>, return_value=0x7ffff7fda908, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/charlie/php-5.6.3/ext/standard/var.c:965
#6  0x000000000158cf5c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:558
#7  0x0000000001483b1a in execute_ex (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:363
#8  0x00000000012824cd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/charlie/php-5.6.3/Zend/zend.c:1344
#9  0x000000000105522a in php_execute_script (primary_file=0x7fffffffd1c0) at /home/charlie/php-5.6.3/main/main.c:2584
#10 0x000000000159a1ed in do_cli (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:994
#11 0x000000000045052d in main (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:1378
#12 0x00007ffff710976d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000450601 in _start ()

Patches

68545_55 (last revision 2014-12-04 09:42 UTC by ab@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-04 09:42 UTC] ab@php.net 
The following patch has been added/updated:

Patch Name: 68545_55
Revision:   1417686127
URL:        https://bugs.php.net/patch-display.php?bug=68545&patch=68545_55&revision=1417686127
 [2014-12-04 09:49 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2014-12-04 09:49 UTC] ab@php.net 
@charlie please test the patch. Thanks.
 [2014-12-04 13:19 UTC] charlie at ceriksen dot com
-Status: Feedback +Status: Open
 [2014-12-04 13:19 UTC] charlie at ceriksen dot com 
Tested the patch on the git PHP-5.5 branch. The test case no longer crashes, and a quick fuzzing of the new version doesn't crash either. But I'll keep fuzzing it for a while to see what happens.
 [2014-12-04 15:33 UTC] ab@php.net 
Related To: Bug #68483
 [2014-12-04 15:38 UTC] ab@php.net 
Thanks for the test, this issue at least should be fine then :)
 [2014-12-10 11:37 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2014-12-13 22:29 UTC] ajf@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 [2014-12-13 22:30 UTC] ajf@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 [2014-12-13 22:31 UTC] ajf@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 [2014-12-15 19:00 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Log: Fixed bug #68545 NULL pointer dereference in unserialize.c
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Feb 02 18:01:29 2025 UTC