php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71561 NULL pointer dereference in virtual_file_ex
Submitted: 2016-02-09 14:36 UTC Modified: 2016-02-09 14:56 UTC
From: martino dot sani at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2016-02-09 (Git) OS: Debian 4.0.8-2 x86_64 GNU/Linux
Private report: No CVE-ID: None
 [2016-02-09 14:36 UTC] martino dot sani at gmail dot com
Description:
------------
virtual_file_ex method in the zend_virtual_cwd.c file uses a char* argument that could be NULL.
I triggered this issue through extractTo method in the PHP Zip extension (see test script), opening a not existing ZIP archive.

Vulnerable code in zend_virtual_cwd.c:

   CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func verify_path, int use_realpath) /* {{{ */
   {
        // path could be NULL
	int path_length = (int)strlen(path);

The issue is triggerable via addEmptyDir and extractTo Zip extension methods, if not existing zip archive will be opened.

extractTo method in the php_zip.c file:

   /* Extract all files */
   // zip_get_num_files returns 1 (intern->nentry is equal to 1) because, I think, addEmptyDir incremented it.
   int filecount = zip_get_num_files(intern);

   if (filecount == -1) {
       // ...
   }

   for (i = 0; i < filecount; i++) {

       // zip_get_name returns NULL
       char *file = (char*)zip_get_name(intern, i, ZIP_FL_UNCHANGED);

       // php_zip_extract_file uses virtual_file_ex
       if (!php_zip_extract_file(intern, pathto, file, strlen(file))) {
           RETURN_FALSE;
       }
   }

PHP builded using:

   ./buildconf --force
   ./configure --prefix=/opt/php --enable-debug --enable-zip
   make && make install


Test script:
---------------
<?php

   $zip = new ZipArchive();

   // Open a not existing zip file
   $zip->open("/dev/shm/notexisting.zip", ZIPARCHIVE::CREATE);

   $zip->addEmptyDir("foo");

   // Program terminated with signal SIGSEGV, Segmentation fault.
   $zip->extractTo("/dev/shm/");

   $zip->close();

?>

Expected result:
----------------
PHP interpreter should not crash.

No actions could be performed by extractTo method because the zip file does not physically exist, or the "in-memory" zip archive could be handled as a normal archive (if possible).

Actual result:
--------------
PHP interpreter crashes with a SIGSEGV.

   $ gdb) where
   #0  strlen () at ../sysdeps/x86_64/strlen.S:106
   #1  0x000000000079055a in c_ziparchive_extractTo (execute_data=0x7f3656a15120, return_value=0x7f3656a15100) at /php-src/master/src/ext/zip/php_zip.c:2671
   #2  0x0000000000891c3a in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /php-src/master/src/Zend/zend_vm_execute.h:1024
   #3  0x0000000000890610 in execute_ex (ex=0x7f3656a15030) at /php-src/master/src/Zend/zend_vm_execute.h:422
   #4  0x0000000000890721 in zend_execute (op_array=0x7f3656a82000, return_value=0x0) at /php-src/master/src/Zend/zend_vm_execute.h:466
   #5  0x00000000008362e8 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php-src/master/src/Zend/zend.c:1427
   #6  0x00000000007a76ae in php_execute_script (primary_file=0x7ffd6efe8db0) at /php-src/master/src/main/main.c:2484
   #7  0x0000000000908079 in do_cli (argc=3, argv=0x18a1c40) at /php-src/master/src/sapi/cli/php_cli.c:974
   #8  0x0000000000909043 in main (argc=3, argv=0x18a1c40) at /php-src/master/src/sapi/cli/php_cli.c:1345

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-09 14:56 UTC] martino dot sani at gmail dot com
-Summary: NULL Pointer Deference in virtual_file_ex +Summary: NULL pointer dereference in virtual_file_ex
 [2016-02-09 14:56 UTC] martino dot sani at gmail dot com
edited summary
 [2016-02-09 15:36 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f45752eb8393ebe758d8e920f7a48a2a39aa6ea5
Log: Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo)
 [2016-02-09 15:36 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-02-09 15:37 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f45752eb8393ebe758d8e920f7a48a2a39aa6ea5
Log: Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 16:01:33 2024 UTC