PHP :: Bug #72944 :: Null pointer deref in zval_delref

Bug #72944	Null pointer deref in zval_delref_p
Submitted:	2016-08-26 09:04 UTC	Modified:	2016-08-26 11:02 UTC
From:	hanno at hboeck dot de	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0.10	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hanno at hboeck dot de
New email:
PHP Version:		OS:

New Comment:

[2016-08-26 09:04 UTC] hanno at hboeck dot de

Description:
------------
Attached file crashes when run with USE_ZEND_ALLOC=0 on an address sanitizer build.
This does not happen on a non-asan-build, I don't know why.

Script to reproduce:
https://crashes.fuzzing-project.org/nullptr.php

Asan error message / stack trace:
==5235==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000d74c90 sp 0x7ffef1db4a90 bp 0x7fe86bdec8f0 T0)
    #0 0xd74c8f in zval_delref_p /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_types.h:827
    #1 0xd74c8f in _zval_ptr_dtor_nogc /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_variables.h:49
    #2 0xd74c8f in ZEND_BW_AND_SPEC_TMPVAR_TMPVAR_HANDLER /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_vm_execute.h:45077
    #3 0xcf748d in execute_ex /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_vm_execute.h:414
    #4 0xe5c7bd in zend_execute /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_vm_execute.h:458
    #5 0xc1d5ba in zend_execute_scripts /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend.c:1427
    #6 0xb068bf in php_execute_script /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/main/main.c:2494
    #7 0xe60b1f in do_cli /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/sapi/cli/php_cli.c:974
    #8 0x48428b in main /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/sapi/cli/php_cli.c:1344
    #9 0x7fe8710f978f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x484a18 in _start (/usr/lib64/php7.0/bin/php+0x484a18)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/cli/Zend/zend_types.h:827 zval_delref_p
==5235==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-26 10:34 UTC] ab@php.net

-Status: Open +Status: Feedback

[2016-08-26 10:34 UTC] ab@php.net

An empty page is shown in the posted link. Please post the PHP code.

Thanks.

[2016-08-26 10:37 UTC] hanno at hboeck dot de

-Status: Feedback +Status: Open

[2016-08-26 10:37 UTC] hanno at hboeck dot de

Uh? I can download it without problems.
It contains nonstandard characters, therefore not sure if pasting will work, but I'll try anyway:
<?php ÿ==e&$€=$€?0:0?:0;

In case this didn't work, base64:
PD9waHAg/z09ZSYkgD0kgD8wOjA/OjA7Cg==

[2016-08-26 11:02 UTC] laruence@php.net

-Assigned To: +Assigned To: dmitry

[2016-08-26 11:02 UTC] laruence@php.net

the problem is in ZEND_IS_EQUAL handler:

ZEND_VM_SMART_BRANCH(result, 0) 
ZVAL_BOOL(EX_VAR(opline->result.var), result);

only checks wether next opline is JMP, but doesn't check if the operand is ZEND_IS_EQUAL's result.

so, for you example:
<?php "a"== e & $A = $A? 0 : 0 ?:0;

will generate following opcodes :

FETCH_CONSTANT                               "e"                  
IS_EQUAL                "a"                  ~0                   ~1 (IS_EQUAL result)
JMPZ                    $A                   J5

....
....
....
AND                        ~1 (IS_EQUAL result)


then in ZEND_VM_SMART_BRANCH, it found next op is ZEND_JMPZ, then it do smart jmp, without setting result to EX_VAR(opline->result.var) which is ~1

then later in AND opcode,  ~1 is IS_UNDEF.



thanks

[2016-08-29 09:15 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b66039db333f730be60c6f6e1925eeb01220e4eb
Log: Fixed bug #72944 (Null pointer deref in zval_delref_p).

[2016-08-29 09:15 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2016-10-17 10:09 UTC] bwoebi@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b66039db333f730be60c6f6e1925eeb01220e4eb
Log: Fixed bug #72944 (Null pointer deref in zval_delref_p).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 07:01:29 2025 UTC