PHP :: Bug #70912 :: Null ptr dereference when class property is initialised to a dereferenced value.

Bug #70912	Null ptr dereference when class property is initialised to a dereferenced value.
Submitted:	2015-11-13 11:52 UTC	Modified:	2015-11-13 14:50 UTC
From:	leigh@php.net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2015-11-13 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	leigh@php.net
New email:
PHP Version:		OS:

New Comment:

[2015-11-13 11:52 UTC] leigh@php.net

Description:
------------
Instantiating a class (normal or anonymous) that has property initialised with a double array short syntax causes a null pointer dereference in zend_ast_evaluate.

PHP compiled with --disable-all.

This affects 7.0alpha1 up to git-master - https://3v4l.org/cg1F3

Found with afl

Test script:
---------------
<?php

new class {
    public $a = [][];
};

Expected result:
----------------
Exit code 0

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000669709 in zend_ast_evaluate (result=0x7fffffffa160, ast=0x0, scope=0x0)
    at /home/leigh/php-src/Zend/zend_ast.c:217
217		switch (ast->kind) {
Missing separate debuginfos, use: dnf debuginfo-install nss-softokn-freebl-3.20.1-1.0.fc23.x86_64
(gdb) bt
#0  0x0000000000669709 in zend_ast_evaluate (result=0x7fffffffa160, ast=0x0, scope=0x0)
    at /home/leigh/php-src/Zend/zend_ast.c:217
#1  0x000000000066a305 in zend_ast_evaluate (result=0x7fffffffa280, ast=0x7ffff66020a8, 
    scope=0x0) at /home/leigh/php-src/Zend/zend_ast.c:390
#2  0x000000000061712b in zval_update_constant_ex (p=0x7ffff66010f0, inline_change=1 '\001', 
    scope=0x0) at /home/leigh/php-src/Zend/zend_execute_API.c:641
#3  0x0000000000633603 in zend_update_class_constants (class_type=0x7ffff6603018)
    at /home/leigh/php-src/Zend/zend_API.c:1155
#4  0x0000000000633bb9 in _object_and_properties_init (arg=0x7fffffffa4d0, 
    class_type=0x7ffff6603018, properties=0x0, 
    __zend_filename=0x87e988 "/home/leigh/php-src/Zend/zend_vm_execute.h", __zend_lineno=15353)
    at /home/leigh/php-src/Zend/zend_API.c:1273
#5  0x0000000000633cc7 in _object_init_ex (arg=0x7fffffffa4d0, class_type=0x7ffff6603018, 
    __zend_filename=0x87e988 "/home/leigh/php-src/Zend/zend_vm_execute.h", __zend_lineno=15353)
    at /home/leigh/php-src/Zend/zend_API.c:1296
#6  0x00000000006a275e in ZEND_NEW_SPEC_VAR_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:15353
#7  0x0000000000684d72 in execute_ex (ex=0x7ffff6614030)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#8  0x0000000000684e53 in zend_execute (op_array=0x7ffff6687000, return_value=0x0)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#9  0x000000000062e497 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/leigh/php-src/Zend/zend.c:1428
#10 0x00000000005aa22a in php_execute_script (primary_file=0x7fffffffdbc0)
    at /home/leigh/php-src/main/main.c:2471
#11 0x00000000006e62c9 in do_cli (argc=2, argv=0xafe4b0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:974
#12 0x00000000006e7159 in main (argc=2, argv=0xafe4b0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345

Patches

Pull Requests

Pull requests:

Fixed bug #70912 (Null ptr dereference instantiating class with invalâ€¦ (php-src/1637)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-13 14:50 UTC] leigh@php.net

-Summary: Null ptr dereference instantiating class with invalid array property. +Summary: Null ptr dereference when class property is initialised to a dereferenced value.

[2015-11-13 14:50 UTC] leigh@php.net

Updated title, also happens with

public $a = a[];
public $a = "a"[];
public $a = null[];
public $a = true[];

etc.

[2015-11-13 15:05 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=25de928df77d9906c81becddca42143d19d6eedd
Log: Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

[2015-11-13 15:05 UTC] laruence@php.net

-Status: Open +Status: Closed

[2015-11-20 01:03 UTC] ab@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=815e456a7ada4865d1dfb3fbc90bfece4a02ba9e
Log: Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

[2016-07-20 11:35 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=25de928df77d9906c81becddca42143d19d6eedd
Log: Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 03:01:28 2024 UTC