php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68817 Null pointer deference
Submitted: 2015-01-12 18:49 UTC Modified: 2015-01-15 00:07 UTC
From: bugreports at internot dot info Assigned:
Status: Closed Package: JSON related
PHP Version: master-Git-2015-01-12 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-12 18:49 UTC] bugreports at internot dot info
Description:
------------
Hi,

In ext/json/JSON_parser.c:

585                    buf.s->len = 0;

but it is possible for buf.s to not be initalized.
The proper code is demonstrated in the previous "case":

564                    if (buf.s) { buf.s->len = 0; }

I imagine this can be triggered if "type == IS_STRING" is false.


Thanks,


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-13 09:45 UTC] tony2001@php.net
-Status: Open +Status: Feedback
 [2015-01-13 09:45 UTC] tony2001@php.net
But it is initialized at the top of the func:
    smart_str buf = {0};

Do you have a reproduce case?
 [2015-01-13 17:09 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-13 17:09 UTC] bugreports at internot dot info
Why is there a check on line 564 then?


Thanks,
 [2015-01-14 09:36 UTC] tony2001@php.net
-Status: Open +Status: Feedback
 [2015-01-14 09:36 UTC] tony2001@php.net
Because Nikita Popov added it in b30c7fe2 for some reason.
Do I understand it correctly that you don't have a reproduce case and just trying to deduce security problem by looking at the code?
 [2015-01-14 12:40 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-14 12:40 UTC] bugreports at internot dot info
Yes.

And the if() at line 564 could/should probably be removed, then.


Thanks,
 [2015-01-14 12:53 UTC] tony2001@php.net
-Type: Security +Type: Feature/Change Request
 [2015-01-15 00:07 UTC] stas@php.net
-Type: Feature/Change Request +Type: Bug
 [2015-01-15 00:07 UTC] stas@php.net
Actually, this report appears to be correct - decoding [""] via json_decode produces a segfault for me. Initializing buf doesn't help since it's initialized to 0, so buf.s->len still can have null deref. This code is in master only (older code uses buf.len which has no pointer) so no reason to keep it private.
 [2015-01-15 00:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f95aa4d97b6a687f7b4565157b934610d354f43
Log: Fix bug #68817: Null pointer deference
 [2015-01-15 00:13 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:39 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f95aa4d97b6a687f7b4565157b934610d354f43
Log: Fix bug #68817: Null pointer deference
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 12:01:23 2020 UTC