php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72660 NULL Pointer dereference in zend_virtual_cwd
Submitted: 2016-07-23 18:27 UTC Modified: -
From: martino dot sani at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: master-Git-2016-07-23 (Git) OS: Debian 4.2.3-2 x86_64
Private report: No CVE-ID:
 [2016-07-23 18:27 UTC] martino dot sani at gmail dot com
Description:
------------
One of the IS_ABSOLUTE_PATH macro in zend_virtual_cwd.h file does not verify that the path is not null. This could lead to a null pointer dereference issue.

I triggered the issue through ZipArchive::addPattern function and ZTS (Zend Thread Safety) enabled, but maybe it could be triggered via different vectors.

http://php.net/manual/en/ziparchive.addpattern.php reports that the default value of $path argument is "." but in my test it was null.

--- zend_virtual_cwd.h (line 112) ---

#ifndef IS_ABSOLUTE_PATH
#define IS_ABSOLUTE_PATH(path, len) \
        (IS_SLASH(path[0]))
#endif

---

--- php_zip.c (line 609) ---

#ifdef ZTS
if (!IS_ABSOLUTE_PATH(path, path_len)) {
   result = VCWD_GETCWD(cwd, MAXPATHLEN);

---




Test script:
---------------
--- PHP test script ---

$zip = new ZipArchive();
$zip->open("foo.zip", ZIPARCHIVE::CREATE);
$zip->addPattern("/\./");

---

--- PHP build ---

$ ./configure --enable-zip --enable-maintainer-zts

---

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

0x0000000001f7e049 in php_zip_pcre (regexp=<optimized out>, path=0x0, path_len=<optimized out>, return_value=<optimized out>) at ext/zip/php_zip.c:610
warning: Source file is more recent than executable.
610             if (!IS_ABSOLUTE_PATH(path, path_len)) {

(gdb) bt

#0  0x0000000001f7e049 in php_zip_pcre (regexp=<optimized out>, path=0x0, path_len=<optimized out>, return_value=<optimized out>) at ext/zip/php_zip.c:610
#1  0x0000000001f9cb8b in php_zip_add_from_pattern (execute_data=<optimized out>, return_value=<optimized out>, type=<optimized out>) at ext/zip/php_zip.c:1669
#2  0x000000000276ddd4 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=<optimized out>) at Zend/zend_vm_execute.h:970
#3  0x0000000002673052 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#4  0x0000000002673c2f in zend_execute (op_array=<optimized out>, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#5  0x000000000242b711 in zend_execute_scripts (type=<optimized out>, retval=<optimized out>, file_count=<optimized out>) at Zend/zend.c:1447
#6  0x000000000202ccce in php_execute_script (primary_file=0x7fffffffcd20) at main/main.c:2533
#7  0x0000000002a97fe3 in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:990
#8  0x0000000002a9385c in main (argc=3, argv=0x60300000ee30) at sapi/cli/php_cli.c:1378

(gdb) info args

regexp = <optimized out>
path = 0x0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-24 15:59 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad96a052d918c7fcfaab702c4319acac20435d6b
Log: Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd)
 [2016-07-24 15:59 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad96a052d918c7fcfaab702c4319acac20435d6b
Log: Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Jul 23 14:01:36 2017 UTC