|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68708 uninitalized pointer(?)
Submitted: 2015-01-01 09:49 UTC Modified: 2015-01-04 09:33 UTC
From: bugreports at internot dot info Assigned:
Status: Not a bug Package: mbstring related
PHP Version: master-Git-2015-01-01 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: bugreports at internot dot info
New email:
PHP Version: OS:


 [2015-01-01 09:49 UTC] bugreports at internot dot info
I'm not 100% sure of this one, but perhaps it should be looked at:

5271  UnsetAddrList  uslist;

If this is false:
5318  if (scan_env.num_call > 0) {

uslist will never be set, which leads to uninitalized pointer reads.

5395      r = unset_addr_list_fix(&uslist, reg);
5412    unset_addr_list_end(&uslist);
5431    unset_addr_list_end(&uslist);

I don't know if it's possible for this to occur, but my belief is that it is.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-04 06:00 UTC]
In the future, it would be helpful to specify the filename where the problematic code is located. This one is unique enough so I could find it easily, but sometimes it may be harder.
 [2015-01-04 06:04 UTC]
-Status: Open +Status: Feedback
 [2015-01-04 06:04 UTC]
I see that in all cases - 5395, 5395, 5431 - the code is inside if(scan_env.num_call > 0) which is the same condition as in 5318. Please describe how do you think it can be possible to UMR to occur.
 [2015-01-04 09:17 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-04 09:17 UTC] bugreports at internot dot info

Sorry about the lack of filename.

If you think it's not possible that the code can be executed, then that's good enough for me.

The idea was that everything goes down the true branch, until:

5286    if (r != 0) goto end;

which is false...

5301  if (r != 0) goto err;

which is false

5305  if (scan_env.num_named > 0 &&

which is false

5318  if (scan_env.num_call > 0) {
which is false
5336  if (r != 0) goto err_unset;
also false

5345  if (IS_FIND_CONDITION(reg->options))
this is true

5353  if (scan_env.backrefed_mem == 0

5360    if (scan_env.has_recursion != 0) {

and then finally..

5382  if (r != 0) goto err_unset;

which would jump to:

5428 err_unset:
5429#ifdef USE_SUBEXP_CALL
5430  if (scan_env.num_call > 0) {
5431    unset_addr_list_end(&uslist);
5432  }

 [2015-01-04 09:33 UTC]
-Status: Open +Status: Not a bug
 [2015-01-04 09:33 UTC]
But if you say (scan_env.num_call > 0) is false 5431 can not be executed. 

I'll be closing it for now, if there's any other considerations it may be reopened then.

For other people looking into this, the file in question is ext/mbstring/oniguruma/regcomp.c.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 13 17:01:30 2024 UTC