php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73094 Create unexpected object without checking input
Submitted: 2016-09-15 17:19 UTC Modified: 2016-09-15 17:27 UTC
From: ahihibughunter at gmail dot com Assigned:
Status: Open Package: intl (PECL)
PHP Version: 7.1.0RC1 OS: ALL
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-09-15 17:19 UTC] ahihibughunter at gmail dot com
Description:
------------
Unexpected object IntlRuleBasedBreakIterator still created with null input object.

$ahihi = new IntlRuleBasedBreakIterator("");
var_dump($ahihi);
------>
object(IntlRuleBasedBreakIterator)#1 (3) {
  ["valid"]=>
  bool(true)  <- this object is valid
  ["text"]=>
  NULL
}
It lead to segmentation fault when iterator the next boundary. 

This bug affect all version of php.


Test script:
---------------
<?php
$ahihi = new IntlRuleBasedBreakIterator("");
var_dump($ahihi);
$ahihi->next();
?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb php7/php-src-PHP-7.0.11/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1

(gdb) r crash.php 
Starting program: /home/zx/zx/php/php7/php-src-PHP-7.0.11/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
object(IntlRuleBasedBreakIterator)#1 (3) {
  ["valid"]=>
  bool(true)
  ["text"]=>
  NULL
}

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5877b28 in icu_55::RuleBasedBreakIterator::handleNext(icu_55::RBBIStateTable const*) ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55

(gdb) bt
#0  0x00007ffff5877b28 in icu_55::RuleBasedBreakIterator::handleNext(icu_55::RBBIStateTable const*) ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#1  0x00007ffff5879e59 in icu_55::RuleBasedBreakIterator::next() ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#2  0x00000000006d24c7 in _breakiter_no_args_ret_int32(const char *, struct {...}, zend_execute_data *, zval *) (func_name=0xeee84a "breakiter_next", func=&virtual table offset 104, 
    execute_data=0x7fffede140f0, return_value=0x7fffede140e0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/intl/breakiterator/breakiterator_methods.cpp:199
#3  0x00000000006d2923 in zif_breakiter_next (execute_data=0x7fffede140f0, return_value=0x7fffede140e0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/intl/breakiterator/breakiterator_methods.cpp:278
#4  0x0000000000a4cf55 in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:842
.....

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-15 17:27 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat May 25 03:01:26 2019 UTC