PHP :: Bug #74146 :: Null pointer dereference in _zval_get_long_func

Bug #74146	Null pointer dereference in _zval_get_long_func_ex()
Submitted:	2017-02-22 07:48 UTC	Modified:	2017-03-02 18:37 UTC
From:	fumfi dot 255 at gmail dot com	Assigned:	pollita (profile)
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	7.1.2	OS:	Linux x64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fumfi dot 255 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-02-22 07:48 UTC] fumfi dot 255 at gmail dot com

Description:
------------
After some fuzz testing I found a crashing test case.

PHP 7.1.2 compiled from source with ASAN.

To reproduce: /php-7.1.2/sapi/cli/php php_zend_null_ptr.php

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==26915==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000159 (pc 0x00000181faa6 bp 0x7fffa1f671b0 sp 0x7fffa1f670a0 T0)
==26915==The signal is caused by a READ memory access.
==26915==Hint: address points to the zero page.
    #0 0x181faa5 in _zval_get_long_func_ex XYZ/php-7.1.2/Zend/zend_operators.c:787:5
    #1 0x181faa5 in _zval_get_long_func XYZ/php-7.1.2/Zend/zend_operators.c:805
    #2 0x17b581d in _zval_get_long XYZ/php-7.1.2/Zend/zend_operators.h:270:50
    #3 0x17b581d in zend_compile_declare XYZ/php-7.1.2/Zend/zend_compile.c:4973
    #4 0x17a6806 in zend_compile_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7834:4
    #5 0x17cada3 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7756:2
    #6 0x17cad48 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7751:4
    #7 0x16e65c6 in zend_compile XYZ/php-7.1.2/Zend/zend_language_scanner.l:601:3
    #8 0x16e5f34 in compile_file XYZ/php-7.1.2/Zend/zend_language_scanner.l:635:14
    #9 0x11ba040 in phar_compile_file XYZ/php-7.1.2/ext/phar/phar.c:3320:9
    #10 0x185b1a8 in zend_execute_scripts XYZ/php-7.1.2/Zend/zend.c:1469:14
    #11 0x161d54d in php_execute_script XYZ/php-7.1.2/main/main.c:2537:14
    #12 0x1ccd48b in do_cli XYZ/php-7.1.2/sapi/cli/php_cli.c:993:5
    #13 0x1cca38e in main XYZ/php-7.1.2/sapi/cli/php_cli.c:1381:18
    #14 0x7f5bac0ed82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x463528 in _start (XYZ/php-7.1.2/sapi/cli/php+0x463528)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.2/Zend/zend_operators.c:787:5 in _zval_get_long_func_ex
==26915==ABORTING

Test script:
---------------
<?(function(){});function f(){}declare(ticks=±){}

Patches

Pull Requests

Pull requests:

Fix potential crash when setting invalid declare value (php-src/2396)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-03-02 16:52 UTC] fumfi dot 255 at gmail dot com

This is CVE-2017-6441.

[2017-03-02 18:31 UTC] nikic@php.net

Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.

[2017-03-02 18:37 UTC] requinix@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita

[2017-03-02 18:37 UTC] requinix@php.net

The PR was merged.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Nov 25 00:01:33 2024 UTC