php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68708 uninitalized pointer(?)
Submitted: 2015-01-01 09:49 UTC Modified: 2015-01-04 09:33 UTC
From: bugreports at internot dot info Assigned:
Status: Not a bug Package: mbstring related
PHP Version: master-Git-2015-01-01 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
 [2015-01-01 09:49 UTC] bugreports at internot dot info
Description:
------------
I'm not 100% sure of this one, but perhaps it should be looked at:




5271  UnsetAddrList  uslist;


If this is false:
5318  if (scan_env.num_call > 0) {


uslist will never be set, which leads to uninitalized pointer reads.

5395      r = unset_addr_list_fix(&uslist, reg);
5412    unset_addr_list_end(&uslist);
5431    unset_addr_list_end(&uslist);



I don't know if it's possible for this to occur, but my belief is that it is.


Thanks,


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-04 06:00 UTC] stas@php.net
In the future, it would be helpful to specify the filename where the problematic code is located. This one is unique enough so I could find it easily, but sometimes it may be harder.
 [2015-01-04 06:04 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2015-01-04 06:04 UTC] stas@php.net
I see that in all cases - 5395, 5395, 5431 - the code is inside if(scan_env.num_call > 0) which is the same condition as in 5318. Please describe how do you think it can be possible to UMR to occur.
 [2015-01-04 09:17 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-04 09:17 UTC] bugreports at internot dot info
Hi,

Sorry about the lack of filename.

If you think it's not possible that the code can be executed, then that's good enough for me.


The idea was that everything goes down the true branch, until:

5286    if (r != 0) goto end;

which is false...

5301  if (r != 0) goto err;

which is false

5305  if (scan_env.num_named > 0 &&

which is false

5318  if (scan_env.num_call > 0) {
which is false
5336  if (r != 0) goto err_unset;
also false

5345  if (IS_FIND_CONDITION(reg->options))
this is true

5353  if (scan_env.backrefed_mem == 0
true

5360    if (scan_env.has_recursion != 0) {
true


and then finally..

5382  if (r != 0) goto err_unset;

which would jump to:

5428 err_unset:
5429#ifdef USE_SUBEXP_CALL
5430  if (scan_env.num_call > 0) {
5431    unset_addr_list_end(&uslist);
5432  }



Thanks,
 [2015-01-04 09:33 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2015-01-04 09:33 UTC] stas@php.net
But if you say (scan_env.num_call > 0) is false 5431 can not be executed. 

I'll be closing it for now, if there's any other considerations it may be reopened then.

For other people looking into this, the file in question is ext/mbstring/oniguruma/regcomp.c.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Sep 26 12:05:52 2022 UTC