php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72644 op_array NULL pointer dereference found in vld_compile_file
Submitted: 2016-07-22 05:39 UTC Modified: 2017-03-09 20:44 UTC
From: mkliu at tencent dot com Assigned: derick (profile)
Status: Assigned Package: vld (PECL)
PHP Version: 7.0.9 OS: linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-07-22 05:39 UTC] mkliu at tencent dot com
Description:
------------
A null pointer dereference will be caused in vld_compile_file when we use VLD to dump syntax error contained php file's opcodes, such as:

<?php
$aaaa\x00=2;
?>

Test script:
---------------
php -dvld.active=1 -dvld.save_dir='./' -dvld.verbosity=3 -dvld.save_paths=1 -dvld.dump_paths=1 ./test.php

Actual result:
--------------
>>> disass
   0x00007ffff2a00b51 <+602>:	mov    rax,QWORD PTR [rax+0x30]
   0x00007ffff2a00b55 <+606>:	test   rax,rax
   0x00007ffff2a00b58 <+609>:	je     0x7ffff2a00b9f <vld_compile_file+680>
   0x00007ffff2a00b5a <+611>:	mov    rax,QWORD PTR [rbp-0x58]
=> 0x00007ffff2a00b5e <+615>:	mov    rax,QWORD PTR [rax+0x78]
   0x00007ffff2a00b62 <+619>:	test   rax,rax
   0x00007ffff2a00b65 <+622>:	je     0x7ffff2a00b75 <vld_compile_file+638>
   0x00007ffff2a00b67 <+624>:	mov    rax,QWORD PTR [rbp-0x58]
   0x00007ffff2a00b6b <+628>:	mov    rax,QWORD PTR [rax+0x78]
   0x00007ffff2a00b6f <+632>:	add    rax,0x18
   0x00007ffff2a00b73 <+636>:	jmp    0x7ffff2a00b7c <vld_compile_file+645>


>>> bt
#0  0x00007ffff2a00b5e in vld_compile_file (file_handle=0x7fffffffc9f0, type=0x8) at /home/mk/Work/SourceCode/php-src/vld/vld.c:377
#1  0x00005555557b195c in zend_execute_scripts ()
#2  0x00005555557524e0 in php_execute_script ()
#3  0x0000555555845ca4 in ?? ()
#4  0x0000555555637d54 in main ()
#5  0x00007ffff63fe830 in __libc_start_main (main=0x5555556378e0 <main>, argc=0x7, argv=0x7fffffffddf8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:291
#6  0x0000555555637e99 in _start ()
>>> info r
rax            0x0	0x0
rbx            0x0	0x0
rcx            0x7fffffffb610	0x7fffffffb610
rdx            0x0	0x0
rsi            0x5555557794f0	0x5555557794f0
rdi            0x0	0x0
rbp            0x55555584e310	0x55555584e310 <__libc_csu_init>
rsp            0x7fffffffdd20	0x7fffffffdd20
r8             0x1	0x1
r9             0x1	0x1
r10            0x2	0x2
r11            0x2	0x2
r12            0x555555637e70	0x555555637e70
r13            0x7fffffffddf0	0x7fffffffddf0
r14            0x0	0x0
r15            0x0	0x0
rip            0x7ffff63fe830	0x7ffff63fe830 <__libc_start_main+240>
eflags         0x10206	[ PF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-22 19:07 UTC] stas@php.net
-Assigned To: +Assigned To: derick
 [2017-03-09 20:44 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2017-03-09 20:44 UTC] nikic@php.net
This is not a security issue, as this requires local control, not mention that VLD is a debugging extension not used in production systems.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC