|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72644 op_array NULL pointer dereference found in vld_compile_file
Submitted: 2016-07-22 05:39 UTC Modified: 2017-03-09 20:44 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: mkliu at tencent dot com Assigned: derick (profile)
Status: Assigned Package: vld (PECL)
PHP Version: 7.0.9 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mkliu at tencent dot com
New email:
PHP Version: OS:


 [2016-07-22 05:39 UTC] mkliu at tencent dot com
A null pointer dereference will be caused in vld_compile_file when we use VLD to dump syntax error contained php file's opcodes, such as:


Test script:
php -dvld.save_dir='./' -dvld.verbosity=3 -dvld.save_paths=1 -dvld.dump_paths=1 ./test.php

Actual result:
>>> disass
   0x00007ffff2a00b51 <+602>:	mov    rax,QWORD PTR [rax+0x30]
   0x00007ffff2a00b55 <+606>:	test   rax,rax
   0x00007ffff2a00b58 <+609>:	je     0x7ffff2a00b9f <vld_compile_file+680>
   0x00007ffff2a00b5a <+611>:	mov    rax,QWORD PTR [rbp-0x58]
=> 0x00007ffff2a00b5e <+615>:	mov    rax,QWORD PTR [rax+0x78]
   0x00007ffff2a00b62 <+619>:	test   rax,rax
   0x00007ffff2a00b65 <+622>:	je     0x7ffff2a00b75 <vld_compile_file+638>
   0x00007ffff2a00b67 <+624>:	mov    rax,QWORD PTR [rbp-0x58]
   0x00007ffff2a00b6b <+628>:	mov    rax,QWORD PTR [rax+0x78]
   0x00007ffff2a00b6f <+632>:	add    rax,0x18
   0x00007ffff2a00b73 <+636>:	jmp    0x7ffff2a00b7c <vld_compile_file+645>

>>> bt
#0  0x00007ffff2a00b5e in vld_compile_file (file_handle=0x7fffffffc9f0, type=0x8) at /home/mk/Work/SourceCode/php-src/vld/vld.c:377
#1  0x00005555557b195c in zend_execute_scripts ()
#2  0x00005555557524e0 in php_execute_script ()
#3  0x0000555555845ca4 in ?? ()
#4  0x0000555555637d54 in main ()
#5  0x00007ffff63fe830 in __libc_start_main (main=0x5555556378e0 <main>, argc=0x7, argv=0x7fffffffddf8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:291
#6  0x0000555555637e99 in _start ()
>>> info r
rax            0x0	0x0
rbx            0x0	0x0
rcx            0x7fffffffb610	0x7fffffffb610
rdx            0x0	0x0
rsi            0x5555557794f0	0x5555557794f0
rdi            0x0	0x0
rbp            0x55555584e310	0x55555584e310 <__libc_csu_init>
rsp            0x7fffffffdd20	0x7fffffffdd20
r8             0x1	0x1
r9             0x1	0x1
r10            0x2	0x2
r11            0x2	0x2
r12            0x555555637e70	0x555555637e70
r13            0x7fffffffddf0	0x7fffffffddf0
r14            0x0	0x0
r15            0x0	0x0
rip            0x7ffff63fe830	0x7ffff63fe830 <__libc_start_main+240>
eflags         0x10206	[ PF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-22 19:07 UTC]
-Assigned To: +Assigned To: derick
 [2017-03-09 20:44 UTC]
-Type: Security +Type: Bug
 [2017-03-09 20:44 UTC]
This is not a security issue, as this requires local control, not mention that VLD is a debugging extension not used in production systems.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed May 12 09:01:24 2021 UTC