PHP :: Bug #72164 :: Null Pointer Dereference

Bug #72164	Null Pointer Dereference - mb_ereg_replace
Submitted:	2016-05-05 08:39 UTC	Modified:	2016-05-05 08:44 UTC
From:	shm@php.net	Assigned:
Status:	Closed	Package:	mbstring related
PHP Version:	7.0.6	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	shm@php.net
New email:
PHP Version:		OS:

New Comment:

[2016-05-05 08:39 UTC] shm@php.net

Description:
------------
mb_ereg_replace causes Null pointer dereference in _php_mb_regex_ereg_replace_exec function. eval_buf can be derefered in case when eval option is turned on and pattern is empty.

Test script:
---------------
<?php
$var0 = "e";
$var2 = "";
$var8 = mbereg_replace($var2,$_,$_,$var0);

Expected result:
----------------
Null pointer is not derefered

Actual result:
--------------
$ ./php mbereg_replace.php 
ASAN:SIGSEGV
=================================================================
==906== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x000000a29c5a sp 0x7ffffafed520 bp 0x7ffffafedb70 T0)
AddressSanitizer can not provide additional info.
    #0 0xa29c59 in _php_mb_regex_ereg_replace_exec /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:941
    #1 0xa2a949 in zif_mb_ereg_replace /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:1029
    #2 0x101ced6 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #3 0x101bf4f in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #4 0x101c1aa in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #5 0xf31538 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #6 0xdc0d02 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #7 0x1148111 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #8 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #9 0x7f6c245b1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
SUMMARY: AddressSanitizer: SEGV /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:941 _php_mb_regex_ereg_replace_exec
==906== ABORTING
Aborted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-05-05 08:44 UTC] shm@php.net

-Summary: Null Pointer Dereference +Summary: Null Pointer Dereference - mb_ereg_replace

[2016-05-05 09:28 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=395863b1d1798100b51c4c8be6e88d574e1a1bf1
Log: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)

[2016-05-05 09:28 UTC] laruence@php.net

-Status: Open +Status: Closed

[2016-07-20 11:31 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=395863b1d1798100b51c4c8be6e88d574e1a1bf1
Log: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC