php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68817 Null pointer deference
Submitted: 2015-01-12 18:49 UTC Modified: 2015-01-15 00:07 UTC
From: bugreports at internot dot info Assigned:
Status: Closed Package: JSON related
PHP Version: master-Git-2015-01-12 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-12 18:49 UTC] bugreports at internot dot info 
Description:
------------
Hi,

In ext/json/JSON_parser.c:

585                    buf.s->len = 0;

but it is possible for buf.s to not be initalized.
The proper code is demonstrated in the previous "case":

564                    if (buf.s) { buf.s->len = 0; }

I imagine this can be triggered if "type == IS_STRING" is false.


Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-13 09:45 UTC] tony2001@php.net
-Status: Open +Status: Feedback
 [2015-01-13 09:45 UTC] tony2001@php.net 
But it is initialized at the top of the func:
    smart_str buf = {0};

Do you have a reproduce case?
 [2015-01-13 17:09 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-13 17:09 UTC] bugreports at internot dot info 
Why is there a check on line 564 then?


Thanks,
 [2015-01-14 09:36 UTC] tony2001@php.net
-Status: Open +Status: Feedback
 [2015-01-14 09:36 UTC] tony2001@php.net 
Because Nikita Popov added it in b30c7fe2 for some reason.
Do I understand it correctly that you don't have a reproduce case and just trying to deduce security problem by looking at the code?
 [2015-01-14 12:40 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-14 12:40 UTC] bugreports at internot dot info 
Yes.

And the if() at line 564 could/should probably be removed, then.


Thanks,
 [2015-01-14 12:53 UTC] tony2001@php.net
-Type: Security +Type: Feature/Change Request
 [2015-01-15 00:07 UTC] stas@php.net
-Type: Feature/Change Request +Type: Bug
 [2015-01-15 00:07 UTC] stas@php.net 
Actually, this report appears to be correct - decoding [""] via json_decode produces a segfault for me. Initializing buf doesn't help since it's initialized to 0, so buf.s->len still can have null deref. This code is in master only (older code uses buf.len which has no pointer) so no reason to keep it private.
 [2015-01-15 00:13 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f95aa4d97b6a687f7b4565157b934610d354f43
Log: Fix bug #68817: Null pointer deference
 [2015-01-15 00:13 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:39 UTC] davey@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f95aa4d97b6a687f7b4565157b934610d354f43
Log: Fix bug #68817: Null pointer deference
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 02:01:28 2024 UTC