php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68740 null pointer deference
Submitted: 2015-01-04 10:21 UTC Modified: 2015-01-08 08:15 UTC
From: bugreports at internot dot info Assigned: laruence (profile)
Status: Closed Package: Regexps related
PHP Version: master-Git-2015-01-04 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
27 - 13 = ?
Subscribe to this entry?

 
 [2015-01-04 10:21 UTC] bugreports at internot dot info 
Description:
------------
Hi,

An explicit null deference happens in /ext/ereg/regex/regcomp.c:


140        g->setbits = NULL;

then this is called:

167        categorize(p, g);

which does this:

1326                if (cats[c] == 0 && isinsets(g, c)) {


And then the isinsets function does this:

1279        for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
1280                if (col[uc] != 0)
1281                        return(1);


which will cause a crash.



Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-08 08:09 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e
Log: Fixed bug #68739 #68740 #68741
 [2015-01-08 08:15 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2015-01-08 08:15 UTC] laruence@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2015-03-31 22:47 UTC] kaplan@php.net 
Automatic comment on behalf of kaplanlior@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a32c8ba719493fd2b4700c4f7db1ef130ceb7661
Log: Fixed bug #68739 (Missing break / control flow). Fixed bug #68740 (NULL Pointer Dereference). Fixed bug #68677 (Use After Free).
 [2015-03-31 22:47 UTC] kaplan@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=059e774db013a8fc31cf2dce0e4d051580bf9d30
Log: Fixed bug #68740 (NULL Pointer Dereference)
 [2015-03-31 22:56 UTC] kaplan@php.net 
Automatic comment on behalf of kaplanlior@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a32c8ba719493fd2b4700c4f7db1ef130ceb7661
Log: Fixed bug #68739 (Missing break / control flow). Fixed bug #68740 (NULL Pointer Dereference). Fixed bug #68677 (Use After Free).
 [2015-03-31 22:56 UTC] kaplan@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=059e774db013a8fc31cf2dce0e4d051580bf9d30
Log: Fixed bug #68740 (NULL Pointer Dereference)
 [2015-03-31 23:02 UTC] kaplan@php.net 
Automatic comment on behalf of kaplanlior@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a32c8ba719493fd2b4700c4f7db1ef130ceb7661
Log: Fixed bug #68739 (Missing break / control flow). Fixed bug #68740 (NULL Pointer Dereference). Fixed bug #68677 (Use After Free).
 [2015-03-31 23:02 UTC] kaplan@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=059e774db013a8fc31cf2dce0e4d051580bf9d30
Log: Fixed bug #68740 (NULL Pointer Dereference)
 [2015-04-06 05:49 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9a404df382d041127eaa601b3113587df45d510d
Log: Fixed bug #68740 (NULL Pointer Dereference)
 [2015-05-28 20:37 UTC] thoger at redhat dot com 
Is there any test case to trigger this crash?

NULL dereference isinsets() can only happen if ncols is greater than 0.  ncols is:

1276         register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;

ncsets is initialized to 0:

 141         g->ncsets = 0;

and only changed in allocset():

1003         register int no = p->g->ncsets++;

Further on in allocset():

1010         if (no >= p->ncsalloc) {        /* need another column of space */
1011                 p->ncsalloc += CHAR_BIT;

...

1020                 if (p->g->setbits == NULL)
1021                         p->g->setbits = (uch *)malloc(nbytes);
1022                 else {
1023                         p->g->setbits = (uch *)realloc((unsigned char *)p->g->setbits,
1024                                                                 nbytes);

ncsalloc is also initialized to 0 and only incremented in allocset().  Hence on the first allocset() call, the code to allocate setbits it reached.  So isinsets() NULL dereference could only happen on failed malloc, and if subsequent SETERROR fails to halt processing as it's meant to.  Is there some code path I'm overlooking?
 [2016-07-20 11:40 UTC] davey@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e
Log: Fixed bug #68739 #68740 #68741
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 31 20:00:01 2025 UTC