|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-02-09 14:56 UTC] martino dot sani at gmail dot com
-Summary: NULL Pointer Deference in virtual_file_ex
+Summary: NULL pointer dereference in virtual_file_ex
[2016-02-09 14:56 UTC] martino dot sani at gmail dot com
[2016-02-09 15:36 UTC] laruence@php.net
[2016-02-09 15:36 UTC] laruence@php.net
-Status: Open
+Status: Closed
[2016-02-09 15:37 UTC] laruence@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Feb 02 04:01:31 2025 UTC |
Description: ------------ virtual_file_ex method in the zend_virtual_cwd.c file uses a char* argument that could be NULL. I triggered this issue through extractTo method in the PHP Zip extension (see test script), opening a not existing ZIP archive. Vulnerable code in zend_virtual_cwd.c: CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func verify_path, int use_realpath) /* {{{ */ { // path could be NULL int path_length = (int)strlen(path); The issue is triggerable via addEmptyDir and extractTo Zip extension methods, if not existing zip archive will be opened. extractTo method in the php_zip.c file: /* Extract all files */ // zip_get_num_files returns 1 (intern->nentry is equal to 1) because, I think, addEmptyDir incremented it. int filecount = zip_get_num_files(intern); if (filecount == -1) { // ... } for (i = 0; i < filecount; i++) { // zip_get_name returns NULL char *file = (char*)zip_get_name(intern, i, ZIP_FL_UNCHANGED); // php_zip_extract_file uses virtual_file_ex if (!php_zip_extract_file(intern, pathto, file, strlen(file))) { RETURN_FALSE; } } PHP builded using: ./buildconf --force ./configure --prefix=/opt/php --enable-debug --enable-zip make && make install Test script: --------------- <?php $zip = new ZipArchive(); // Open a not existing zip file $zip->open("/dev/shm/notexisting.zip", ZIPARCHIVE::CREATE); $zip->addEmptyDir("foo"); // Program terminated with signal SIGSEGV, Segmentation fault. $zip->extractTo("/dev/shm/"); $zip->close(); ?> Expected result: ---------------- PHP interpreter should not crash. No actions could be performed by extractTo method because the zip file does not physically exist, or the "in-memory" zip archive could be handled as a normal archive (if possible). Actual result: -------------- PHP interpreter crashes with a SIGSEGV. $ gdb) where #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x000000000079055a in c_ziparchive_extractTo (execute_data=0x7f3656a15120, return_value=0x7f3656a15100) at /php-src/master/src/ext/zip/php_zip.c:2671 #2 0x0000000000891c3a in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /php-src/master/src/Zend/zend_vm_execute.h:1024 #3 0x0000000000890610 in execute_ex (ex=0x7f3656a15030) at /php-src/master/src/Zend/zend_vm_execute.h:422 #4 0x0000000000890721 in zend_execute (op_array=0x7f3656a82000, return_value=0x0) at /php-src/master/src/Zend/zend_vm_execute.h:466 #5 0x00000000008362e8 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php-src/master/src/Zend/zend.c:1427 #6 0x00000000007a76ae in php_execute_script (primary_file=0x7ffd6efe8db0) at /php-src/master/src/main/main.c:2484 #7 0x0000000000908079 in do_cli (argc=3, argv=0x18a1c40) at /php-src/master/src/sapi/cli/php_cli.c:974 #8 0x0000000000909043 in main (argc=3, argv=0x18a1c40) at /php-src/master/src/sapi/cli/php_cli.c:1345