php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72397 php_output_handler_init may cause null pointer dereference
Submitted: 2016-06-13 18:46 UTC Modified: 2016-06-15 15:47 UTC
From: shm@php.net Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 7.0Git-2016-06-13 (Git) OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-06-13 18:46 UTC] shm@php.net
Description:
------------
In case of USE_ZEND_ALLOC=0, function:

php_output_handler_init which looks as follows:

863static inline php_output_handler *php_output_handler_init(zend_string *name, size_t chunk_size, int flags)
864{
865	php_output_handler *handler;
866
867	handler = ecalloc(1, sizeof(php_output_handler));
868	handler->name = zend_string_copy(name);
869	handler->size = chunk_size;
870	handler->flags = flags;
871	handler->buffer.size = PHP_OUTPUT_HANDLER_INITBUF_SIZE(chunk_size);
872	handler->buffer.data = emalloc(handler->buffer.size);
873
874	return handler;
875}

may return in buffer.data NULL if buffer.size is large enough to fail, then it can be deferred later (when buffer.data is used) i.e. in php_output_handler_append as presented below:


$ ASAN_OPTIONS=symbolize=1 ./php minerva.147.1053581631
==2035== WARNING: AddressSanitizer failed to allocate 0x10e0829ff7e000 bytes
ASAN:SIGSEGV
=================================================================
==2035== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f79f3d819a5 sp 0x7fff83d32038 bp 0x7fff83d32880 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f79f3d819a4 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x199a4)
    #1 0x7f79f3d763a2 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xe3a2)
    #2 0xedf3f7 in php_output_handler_append /home/shm/src/php-src/main/output.c:893
    #3 0xedf5de in php_output_handler_op /home/shm/src/php-src/main/output.c:941
    #4 0xee043e in php_output_op /home/shm/src/php-src/main/output.c:1057
    #5 0xedbd51 in php_output_write /home/shm/src/php-src/main/output.c:257
    #6 0xe9995e in php_printf /home/shm/src/php-src/main/main.c:692
    #7 0xe9bef0 in php_error_cb /home/shm/src/php-src/main/main.c:1127
    #8 0x1010b45 in zend_error_noreturn /home/shm/src/php-src/Zend/zend.c:1154
    #9 0x10122af in zend_internal_type_error /home/shm/src/php-src/Zend/zend.c:1348
    #10 0x1016e57 in zend_wrong_paramer_type_error /home/shm/src/php-src/Zend/zend_API.c:226
    #11 0xd1c570 in zif_fread /home/shm/src/php-src/ext/standard/file.c:1808
    #12 0x10fe845 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-src/Zend/zend_vm_execute.h:586
    #13 0x10fd8be in execute_ex /home/shm/src/php-src/Zend/zend_vm_execute.h:414
    #14 0x10fdb19 in zend_execute /home/shm/src/php-src/Zend/zend_vm_execute.h:458
    #15 0x1012aee in zend_execute_scripts /home/shm/src/php-src/Zend/zend.c:1427
    #16 0xea2158 in php_execute_script /home/shm/src/php-src/main/main.c:2494
    #17 0x122931b in do_cli /home/shm/src/php-src/sapi/cli/php_cli.c:974
    #18 0x122b8f7 in main /home/shm/src/php-src/sapi/cli/php_cli.c:1344
    #19 0x7f79f2481ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #20 0x42dc48 in _start (/home/shm/src/php-src/sapi/cli/php+0x42dc48)

Test script:
---------------
<?php
$var0 = mt_rand();
$var5 = mktime($var0,$var2,$var1,$var0,$var2);
$var7 = ob_start($var4,$var5,$var2);
$var8 = posix_seteuid($var7);
$var10 = gzread($var8,$var8);

Expected result:
----------------
No NPD happens

Actual result:
--------------
NPD happens

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-14 00:39 UTC] laruence@php.net
I am not sure this is a bug, since USE_ZEND_ALLOC=0 should not be a case we should fix
 [2016-06-14 08:33 UTC] shm@php.net
Seems that you're right, maybe we should point out in documentation that magic things can happen if you use USE_ZEND_ALLOC=0
 [2016-06-15 07:02 UTC] laruence@php.net
not sure it worthy. since, USE_ZEND_ALLOC=0 should be only for debug purpose :)
 [2016-06-15 09:59 UTC] shm@php.net
So maybe we should wrap allocator to catch cases when malloc returns NULL? If you don't think so, then feel free to close it.
 [2016-06-15 15:46 UTC] laruence@php.net
-Status: Open +Status: Wont fix
 [2016-06-15 15:46 UTC] laruence@php.net
We are sorry, but we can not support PHP 4 related problems anymore.


 [2016-06-15 15:47 UTC] laruence@php.net
wrong close reason was selected :<
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Mar 07 00:01:23 2021 UTC