php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73073 CachingIterator null dereference when convert to string
Submitted: 2016-09-13 16:25 UTC Modified: 2017-02-13 01:20 UTC
From: ahihibughunter at gmail dot com Assigned: stas (profile)
Status: Closed Package: SPL related
PHP Version: 5.6.26RC1 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-13 16:25 UTC] ahihibughunter at gmail dot com 
Description:
------------
SPL_METHOD(CachingIterator, __toString)
{
....
if (intern->u.caching.flags & CIT_TOSTRING_USE_KEY) {
		MAKE_COPY_ZVAL(&intern->current.key, return_value); <- &intern->current.key used without check it's value
		convert_to_string(return_value);
....
}



Test script:
---------------
<?php
$it = new CachingIterator(new ArrayIterator(array()), CachingIterator::TOSTRING_USE_KEY);
var_dump((string)$it);
?>


Expected result:
----------------
no crash

Actual result:
--------------
zx@ubuntu:~/zx/php$ gdb php5/php-src-PHP-5.6.26/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
....
gdb-peda$ r crash.php 
Starting program: /home/zx/zx/php/php5/php-src-PHP-5.6.26/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffffa358 --> 0x7ffff7fbed18 --> 0x0 
RCX: 0x7ffff7fbed18 --> 0x0 
RDX: 0x40 ('@')
RSI: 0x7ffff7fbed18 --> 0x0 
RDI: 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
RBP: 0x7fffffffa050 --> 0x7fffffffa1c0 --> 0x7fffffffa300 --> 0x7fffffffa3a0 --> 0x7fffffffa3f0 --> 0x7fffffffa450 (--> ...)
RSP: 0x7fffffffa000 --> 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
RIP: 0x88d817 (<zim_spl_CachingIterator___toString+210>:	mov    rdx,QWORD PTR [rax+0x8])
R8 : 0x1 
R9 : 0x0 
R10: 0x477 
R11: 0x7ffff4ef1730 --> 0xfffda400fffda12f 
R12: 0x439100 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffddd0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x88d80b <zim_spl_CachingIterator___toString+198>:	mov    rax,QWORD PTR [rbp-0x18]
   0x88d80f <zim_spl_CachingIterator___toString+202>:	mov    rax,QWORD PTR [rax+0x48]
   0x88d813 <zim_spl_CachingIterator___toString+206>:	mov    rcx,QWORD PTR [rbp-0x40]
=> 0x88d817 <zim_spl_CachingIterator___toString+210>:	mov    rdx,QWORD PTR [rax+0x8]
   0x88d81b <zim_spl_CachingIterator___toString+214>:	mov    rax,QWORD PTR [rax]
   0x88d81e <zim_spl_CachingIterator___toString+217>:	mov    QWORD PTR [rcx],rax
   0x88d821 <zim_spl_CachingIterator___toString+220>:	mov    QWORD PTR [rcx+0x8],rdx
   0x88d825 <zim_spl_CachingIterator___toString+224>:	mov    rax,QWORD PTR [rbp-0x18]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa000 --> 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
0008| 0x7fffffffa008 --> 0x7fffffffa358 --> 0x7ffff7fbed18 --> 0x0 
0016| 0x7fffffffa010 --> 0x7ffff7fbed18 --> 0x0 
0024| 0x7fffffffa018 --> 0x1 
0032| 0x7fffffffa020 --> 0x7fffffffa050 --> 0x7fffffffa1c0 --> 0x7fffffffa300 --> 0x7fffffffa3a0 --> 0x7fffffffa3f0 (--> ...)
0040| 0x7fffffffa028 --> 0xa7ddc9 (<_emalloc+111>:	leave)
0048| 0x7fffffffa030 --> 0x7ffff7fbff88 --> 0x1605130 --> 0x1 
0056| 0x7fffffffa038 --> 0x7ffff7fbff88 --> 0x1605130 --> 0x1 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000088d817 in zim_spl_CachingIterator___toString (ht=0x0, return_value=0x7ffff7fbed18, return_value_ptr=0x7fffffffa358, this_ptr=0x7ffff7fbd5f8, return_value_used=0x1)
    at /home/zx/zx/php/php-src-PHP-5.6.26/ext/spl/spl_iterators.c:2866
warning: Source file is more recent than executable.
2866			MAKE_COPY_ZVAL(&intern->current.key, return_value);
gdb-peda$ print intern->current.key
$4 = (zval *) 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-21 06:01 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-21 06:01 UTC] stas@php.net 
The fix is in security repo as 33a8af0510c5899cbf9148f53da08cf4f2df0013 and in https://gist.github.com/fbd1fcbac1d9e041dcad6e191966c9d0

please verify
 [2016-09-21 10:54 UTC] ahihibughunter at gmail dot com 
This patch look good.
 [2016-10-11 23:45 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 23:35 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2016-10-17 10:08 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2017-02-13 01:20 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jan 31 03:01:29 2025 UTC