php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72660 NULL Pointer dereference in zend_virtual_cwd
Submitted: 2016-07-23 18:27 UTC Modified: -
From: martino dot sani at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: master-Git-2016-07-23 (Git) OS: Debian 4.2.3-2 x86_64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martino dot sani at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-23 18:27 UTC] martino dot sani at gmail dot com 
Description:
------------
One of the IS_ABSOLUTE_PATH macro in zend_virtual_cwd.h file does not verify that the path is not null. This could lead to a null pointer dereference issue.

I triggered the issue through ZipArchive::addPattern function and ZTS (Zend Thread Safety) enabled, but maybe it could be triggered via different vectors.

http://php.net/manual/en/ziparchive.addpattern.php reports that the default value of $path argument is "." but in my test it was null.

--- zend_virtual_cwd.h (line 112) ---

#ifndef IS_ABSOLUTE_PATH
#define IS_ABSOLUTE_PATH(path, len) \
        (IS_SLASH(path[0]))
#endif

---

--- php_zip.c (line 609) ---

#ifdef ZTS
if (!IS_ABSOLUTE_PATH(path, path_len)) {
   result = VCWD_GETCWD(cwd, MAXPATHLEN);

---




Test script:
---------------
--- PHP test script ---

$zip = new ZipArchive();
$zip->open("foo.zip", ZIPARCHIVE::CREATE);
$zip->addPattern("/\./");

---

--- PHP build ---

$ ./configure --enable-zip --enable-maintainer-zts

---

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

0x0000000001f7e049 in php_zip_pcre (regexp=<optimized out>, path=0x0, path_len=<optimized out>, return_value=<optimized out>) at ext/zip/php_zip.c:610
warning: Source file is more recent than executable.
610             if (!IS_ABSOLUTE_PATH(path, path_len)) {

(gdb) bt

#0  0x0000000001f7e049 in php_zip_pcre (regexp=<optimized out>, path=0x0, path_len=<optimized out>, return_value=<optimized out>) at ext/zip/php_zip.c:610
#1  0x0000000001f9cb8b in php_zip_add_from_pattern (execute_data=<optimized out>, return_value=<optimized out>, type=<optimized out>) at ext/zip/php_zip.c:1669
#2  0x000000000276ddd4 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=<optimized out>) at Zend/zend_vm_execute.h:970
#3  0x0000000002673052 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#4  0x0000000002673c2f in zend_execute (op_array=<optimized out>, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#5  0x000000000242b711 in zend_execute_scripts (type=<optimized out>, retval=<optimized out>, file_count=<optimized out>) at Zend/zend.c:1447
#6  0x000000000202ccce in php_execute_script (primary_file=0x7fffffffcd20) at main/main.c:2533
#7  0x0000000002a97fe3 in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:990
#8  0x0000000002a9385c in main (argc=3, argv=0x60300000ee30) at sapi/cli/php_cli.c:1378

(gdb) info args

regexp = <optimized out>
path = 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-24 15:59 UTC] laruence@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad96a052d918c7fcfaab702c4319acac20435d6b
Log: Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd)
 [2016-07-24 15:59 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-09-06 13:53 UTC] cmb@php.net 
Related To: Bug #53856
 [2016-10-17 10:10 UTC] bwoebi@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad96a052d918c7fcfaab702c4319acac20435d6b
Log: Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC