PHP :: Bug #68839 :: Explicit null pointer dereference

Bug #68839	Explicit null pointer dereference
Submitted:	2015-01-15 16:19 UTC	Modified:	2015-01-20 19:51 UTC
From:	bugreports at internot dot info	Assigned:	stas (profile)
Status:	Closed	Package:	PHAR related
PHP Version:	master-Git-2015-01-15 (Git)	OS:	Linux Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugreports at internot dot info
New email:
PHP Version:		OS:

New Comment:

[2015-01-15 16:19 UTC] bugreports at internot dot info

Description:
------------
Hi,

The bug itself is in /ext/phar/zip.c, but I'll add the code that I used to find it:


In /ext/phar/phar.c:


2524                return phar_zip_flush(phar, user_stub, len, convert, error);


'error' is NULL at that point, since:
2513        if (error) {
2514                *error = NULL;
2515        }


phar_zip_flush correctly checks for NULL in most places:

1206                if (error) {
1207                        spprintf(error, 0, "internal error: attempt to flush cached zip-based phar \"%s\"", phar->fname);
1208                }

1224                        if (error) {
1225                                spprintf(error, 0, "unable to set alias in zip-based phar \"%s\"", phar->fname);
1226                        }
1227                        return EOF;

etc.

But it does not check for NULL on an unwritable tmp file:

1219                if (entry.fp == NULL) {
1220                        spprintf(error, 0, "phar error: unable to create temporary file");
1221                        return EOF;
1222                }




I will be  submitting a a patch for this in a moment, to internals@php.


Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-01-15 17:10 UTC] tony2001@php.net

-Type: Security +Type: Bug

[2015-01-16 08:21 UTC] bugreports at internot dot info

https://github.com/MegaManSec/php-src/commit/7df256e25f778a680f1b7e28c5e6cf4d85ecc0dc
pull request submitted

[2015-01-20 19:51 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2015-01-20 19:51 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Apr 29 11:01:28 2025 UTC