php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77738 Nullptr deref in zend_compile_expr
Submitted: 2019-03-13 16:11 UTC Modified: 2019-03-13 16:17 UTC
From: bugs-syssec at rub dot de Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.3.3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugs-syssec at rub dot de
New email:
PHP Version: OS:

 

 [2019-03-13 16:11 UTC] bugs-syssec at rub dot de 
Description:
------------
$ ./php --version
PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies

Test script:
---------------
https://filebin.ca/4a3zeQt3E7a5/nullptr_deref-zend_compile_expr.php

Expected result:
----------------
No crash.

Actual result:
--------------
==4473== Memcheck, a memory error detector
==4473== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4473== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==4473== Command: ./php-plain nullptr_deref-zend_compile_expr.php
==4473== 
==4473== Invalid read of size 2
==4473==    at 0x50C0DB: zend_compile_const (zend_compile.c:7709)
==4473==    by 0x50E604: zend_compile_expr (zend_compile.c:8371)
==4473==    by 0x51505D: zend_compile_stmt (zend_compile.c:8256)
==4473==    by 0x517F74: zend_compile_top_stmt (zend_compile.c:8142)
==4473==    by 0x517F60: zend_compile_top_stmt (zend_compile.c:8137)
==4473==    by 0x4F0958: zend_compile (zend_language_scanner.l:602)
==4473==    by 0x4F1ED9: compile_file (zend_language_scanner.l:636)
==4473==    by 0x3DE0FB: phar_compile_file (phar.c:3344)
==4473==    by 0x528A2A: zend_execute_scripts (zend.c:1562)
==4473==    by 0x4C949F: php_execute_script (main.c:2630)
==4473==    by 0x5B88BB: do_cli (php_cli.c:997)
==4473==    by 0x21105A: main (php_cli.c:1389)
==4473==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4473== 
==4473== 
==4473== Process terminating with default action of signal 11 (SIGSEGV)
==4473==  Access not within mapped region at address 0x0
==4473==    at 0x50C0DB: zend_compile_const (zend_compile.c:7709)
==4473==    by 0x50E604: zend_compile_expr (zend_compile.c:8371)
==4473==    by 0x51505D: zend_compile_stmt (zend_compile.c:8256)
==4473==    by 0x517F74: zend_compile_top_stmt (zend_compile.c:8142)
==4473==    by 0x517F60: zend_compile_top_stmt (zend_compile.c:8137)
==4473==    by 0x4F0958: zend_compile (zend_language_scanner.l:602)
==4473==    by 0x4F1ED9: compile_file (zend_language_scanner.l:636)
==4473==    by 0x3DE0FB: phar_compile_file (phar.c:3344)
==4473==    by 0x528A2A: zend_execute_scripts (zend.c:1562)
==4473==    by 0x4C949F: php_execute_script (main.c:2630)
==4473==    by 0x5B88BB: do_cli (php_cli.c:997)
==4473==    by 0x21105A: main (php_cli.c:1389)
==4473==  If you believe this happened as a result of a stack
==4473==  overflow in your program's main thread (unlikely but
==4473==  possible), you can try to increase the size of the
==4473==  main thread stack using the --main-stacksize= flag.
==4473==  The main thread stack size used in this run was 8388608.
==4473== 
==4473== HEAP SUMMARY:
==4473==     in use at exit: 1,312,694 bytes in 10,199 blocks
==4473==   total heap usage: 10,801 allocs, 602 frees, 1,668,856 bytes allocated
==4473== 
==4473== LEAK SUMMARY:
==4473==    definitely lost: 0 bytes in 0 blocks
==4473==    indirectly lost: 0 bytes in 0 blocks
==4473==      possibly lost: 1,049,520 bytes in 9,070 blocks
==4473==    still reachable: 263,174 bytes in 1,129 blocks
==4473==         suppressed: 0 bytes in 0 blocks
==4473== Rerun with --leak-check=full to see details of leaked memory
==4473== 
==4473== For counts of detected and suppressed errors, rerun with: -v
==4473== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-13 16:13 UTC] spam2 at rhsoft dot net 
PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )

don't you think it's a bad idea to report a bug against a month old build when 7.3.3 is the recent version with a ton of bugreports and fixes in the meantime?
 [2019-03-13 16:15 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-03-13 16:15 UTC] nikic@php.net 
Verified that this still crashes on current PHP-7.3 head.
 [2019-03-13 16:17 UTC] nikic@php.net
-Status: Verified +Status: Analyzed
 [2019-03-13 16:17 UTC] nikic@php.net 
Simpler reproducer:

<?php
var_dump(__COMPILER_HALT_OFFSET__);
; // <- important

Null statements are not handled.
 [2019-03-14 08:48 UTC] laruence@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c7920aba3e1892accca7cd13ef5b8a8fbf48b5c2
Log: Fixed bug #77738 (Nullptr deref in zend_compile_expr)
 [2019-03-14 08:48 UTC] laruence@php.net
-Status: Analyzed +Status: Closed
 [2019-03-14 16:27 UTC] nikic@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c7920aba3e1892accca7cd13ef5b8a8fbf48b5c2
Log: Fixed bug #77738 (Nullptr deref in zend_compile_expr)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 16:01:33 2024 UTC