php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72164 Null Pointer Dereference - mb_ereg_replace
Submitted: 2016-05-05 08:39 UTC Modified: 2016-05-05 08:44 UTC
From: shm@php.net Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.0.6 OS:
Private report: No CVE-ID:
 [2016-05-05 08:39 UTC] shm@php.net
Description:
------------
mb_ereg_replace causes Null pointer dereference in _php_mb_regex_ereg_replace_exec function. eval_buf can be derefered in case when eval option is turned on and pattern is empty.

Test script:
---------------
<?php
$var0 = "e";
$var2 = "";
$var8 = mbereg_replace($var2,$_,$_,$var0);

Expected result:
----------------
Null pointer is not derefered

Actual result:
--------------
$ ./php mbereg_replace.php 
ASAN:SIGSEGV
=================================================================
==906== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x000000a29c5a sp 0x7ffffafed520 bp 0x7ffffafedb70 T0)
AddressSanitizer can not provide additional info.
    #0 0xa29c59 in _php_mb_regex_ereg_replace_exec /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:941
    #1 0xa2a949 in zif_mb_ereg_replace /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:1029
    #2 0x101ced6 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #3 0x101bf4f in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #4 0x101c1aa in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #5 0xf31538 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #6 0xdc0d02 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #7 0x1148111 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #8 0x114a6ed in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #9 0x7f6c245b1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
SUMMARY: AddressSanitizer: SEGV /home/shm/src/php-7.0.6/ext/mbstring/php_mbregex.c:941 _php_mb_regex_ereg_replace_exec
==906== ABORTING
Aborted


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-05 08:44 UTC] shm@php.net
-Summary: Null Pointer Dereference +Summary: Null Pointer Dereference - mb_ereg_replace
 [2016-05-05 09:28 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=395863b1d1798100b51c4c8be6e88d574e1a1bf1
Log: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)
 [2016-05-05 09:28 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=395863b1d1798100b51c4c8be6e88d574e1a1bf1
Log: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 08:01:50 2017 UTC