PHP :: Bug #75002 :: Null Pointer Dereference in timelib_time

Bug #75002

Null Pointer Dereference in timelib_time_clone

Submitted:

2017-07-28 10:08 UTC

Modified:

2017-07-30 19:41 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

zhihua dot yao at dbappsecurity dot com dot cn

Assigned:

Status:

Closed

Package:

SPL related

PHP Version:

5.6.31, 7.1.7

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version:		OS:

New Comment:

[2017-07-28 10:08 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Description:
------------
Since the argument origts to 0, the null pointer is interpreted.

Test script:
---------------
<?php

class aaa extends DatePeriod {
   
	public function __construct() { }
}

$start=new DateTime( '2012-08-01' );

foreach (new aaa($start) as $y){

 $a=$key;

}


Expected result:
----------------
no crash

Actual result:
--------------
root@ubuntu:/home/hjy/Desktop# ./php-7.1.7/sapi/cli/php poc.php 
ASAN:SIGSEGV
=================================================================
==6186==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x081c3fb7 sp 0xbfde97f0 bp 0xbfde9818 T0)
    #0 0x81c3fb6 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:51
    #1 0x81c3fb6 in timelib_time_clone /home/hjy/Desktop/php-7.1.7/ext/date/lib/timelib.c:58
    #2 0x80be985 in date_period_it_rewind /home/hjy/Desktop/php-7.1.7/ext/date/php_date.c:1947
    #3 0xa12536a in ZEND_FE_RESET_R_SPEC_VAR_HANDLER /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:16525
    #4 0x9f38f6f in execute_ex /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
    #5 0xa34f88b in zend_execute /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
    #6 0x9c69108 in zend_execute_scripts /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
    #7 0x98eb275 in php_execute_script /home/hjy/Desktop/php-7.1.7/main/main.c:2537
    #8 0xa35f295 in do_cli /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
    #9 0x80a8ceb in main /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
    #10 0xb6bdca82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #11 0x80a995f (/home/hjy/Desktop/php-7.1.7/sapi/cli/php+0x80a995f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/i386-linux-gnu/bits/string3.h:51 memcpy
==6186==ABORTING

Patches

date-period-ctor-75002.txt.diff (last revision 2017-07-28 11:40 UTC by derick@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-28 10:44 UTC] derick@php.net

-PHP Version: 7.1.7 +PHP Version: 5.6.31, 7.1.7

[2017-07-28 10:44 UTC] derick@php.net

DatePeriod, wrapping internal structures, should not be extendable. In any case, I can reproduce this and I'm looking at a fix right now.

[2017-07-28 11:40 UTC] derick@php.net

The following patch has been added/updated:

Patch Name: date-period-ctor-75002.txt.diff
Revision:   1501242055
URL:        https://bugs.php.net/patch-display.php?bug=75002&patch=date-period-ctor-75002.txt.diff&revision=1501242055

[2017-07-30 19:41 UTC] stas@php.net

-Type: Security +Type: Bug

[2017-08-02 14:43 UTC] ab@php.net

Automatic comment on behalf of derick
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b112d09013088e73676eee77f04a906d15fbd1a7
Log: Fixed bug #75002 Null Pointer Dereference in timelib_time_clone

[2017-08-02 14:43 UTC] ab@php.net

-Status: Open +Status: Closed

[2020-02-26 23:27 UTC] cmb@php.net

Related To: Bug #54401

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 16:01:33 2024 UTC