|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72644 op_array NULL pointer dereference found in vld_compile_file
Submitted: 2016-07-22 05:39 UTC Modified: 2021-06-13 04:22 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: mkliu at tencent dot com Assigned: derick (profile)
Status: No Feedback Package: vld (PECL)
PHP Version: 7.0.9 OS: linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-07-22 05:39 UTC] mkliu at tencent dot com
A null pointer dereference will be caused in vld_compile_file when we use VLD to dump syntax error contained php file's opcodes, such as:


Test script:
php -dvld.save_dir='./' -dvld.verbosity=3 -dvld.save_paths=1 -dvld.dump_paths=1 ./test.php

Actual result:
>>> disass
   0x00007ffff2a00b51 <+602>:	mov    rax,QWORD PTR [rax+0x30]
   0x00007ffff2a00b55 <+606>:	test   rax,rax
   0x00007ffff2a00b58 <+609>:	je     0x7ffff2a00b9f <vld_compile_file+680>
   0x00007ffff2a00b5a <+611>:	mov    rax,QWORD PTR [rbp-0x58]
=> 0x00007ffff2a00b5e <+615>:	mov    rax,QWORD PTR [rax+0x78]
   0x00007ffff2a00b62 <+619>:	test   rax,rax
   0x00007ffff2a00b65 <+622>:	je     0x7ffff2a00b75 <vld_compile_file+638>
   0x00007ffff2a00b67 <+624>:	mov    rax,QWORD PTR [rbp-0x58]
   0x00007ffff2a00b6b <+628>:	mov    rax,QWORD PTR [rax+0x78]
   0x00007ffff2a00b6f <+632>:	add    rax,0x18
   0x00007ffff2a00b73 <+636>:	jmp    0x7ffff2a00b7c <vld_compile_file+645>

>>> bt
#0  0x00007ffff2a00b5e in vld_compile_file (file_handle=0x7fffffffc9f0, type=0x8) at /home/mk/Work/SourceCode/php-src/vld/vld.c:377
#1  0x00005555557b195c in zend_execute_scripts ()
#2  0x00005555557524e0 in php_execute_script ()
#3  0x0000555555845ca4 in ?? ()
#4  0x0000555555637d54 in main ()
#5  0x00007ffff63fe830 in __libc_start_main (main=0x5555556378e0 <main>, argc=0x7, argv=0x7fffffffddf8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:291
#6  0x0000555555637e99 in _start ()
>>> info r
rax            0x0	0x0
rbx            0x0	0x0
rcx            0x7fffffffb610	0x7fffffffb610
rdx            0x0	0x0
rsi            0x5555557794f0	0x5555557794f0
rdi            0x0	0x0
rbp            0x55555584e310	0x55555584e310 <__libc_csu_init>
rsp            0x7fffffffdd20	0x7fffffffdd20
r8             0x1	0x1
r9             0x1	0x1
r10            0x2	0x2
r11            0x2	0x2
r12            0x555555637e70	0x555555637e70
r13            0x7fffffffddf0	0x7fffffffddf0
r14            0x0	0x0
r15            0x0	0x0
rip            0x7ffff63fe830	0x7ffff63fe830 <__libc_start_main+240>
eflags         0x10206	[ PF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-22 19:07 UTC]
-Assigned To: +Assigned To: derick
 [2017-03-09 20:44 UTC]
-Type: Security +Type: Bug
 [2017-03-09 20:44 UTC]
This is not a security issue, as this requires local control, not mention that VLD is a debugging extension not used in production systems.
 [2021-05-31 13:51 UTC]
-Status: Assigned +Status: Feedback
 [2021-05-31 13:51 UTC]
Is this still an issue with any of the actively supported PHP
versions[1] and most recent VLD (0.17.1)?

[1] <>
 [2021-06-13 04:22 UTC] pecl-dev at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Feb 25 19:01:28 2024 UTC