php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73532 Null pointer dereference in mb_eregi
Submitted: 2016-11-16 02:19 UTC Modified: 2016-11-16 03:49 UTC
From: marceloje at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.1Git-2016-11-16 (Git) OS: Linux x86_64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: marceloje at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-16 02:19 UTC] marceloje at gmail dot com
Description:
------------
Invalid multibyte strings cause zval null pointer in "_zval_ptr_dtor_nogc", through "mb_eregi"function.

This happens in PHP 7.1 (PHP 7.0 not crashes).


Source code:
https://github.com/php/php-src/blob/PHP-7.1/Zend/zend_variables.h#L39

static zend_always_inline void _zval_ptr_dtor_nogc(zval *zval_ptr ZEND_FILE_LINE_DC)
{
        if (Z_REFCOUNTED_P(zval_ptr) && !Z_DELREF_P(zval_ptr)) {
                _zval_dtor_func(Z_COUNTED_P(zval_ptr) ZEND_FILE_LINE_RELAY_CC);
        }
}

Test script:
---------------
poc.php

<?php

mb_eregi("a", "\xf5");

Expected result:
----------------
Not crash

Actual result:
--------------
ASan output:

ASAN:SIGSEGV
=================================================================
==7892==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x0000008bc4d2 bp 0x7fff53c82cc0 sp 0x7fff53c82ca0 T0)
    #0 0x8bc4d1 in _zval_ptr_dtor_nogc /home/operac/build6/php-src/Zend/zend_variables.h:39
    #1 0x8be82a in _php_mb_regex_ereg_exec /home/operac/build6/php-src/ext/mbstring/php_mbregex.c:711
    #2 0x8bf19a in zif_mb_eregi /home/operac/build6/php-src/ext/mbstring/php_mbregex.c:795
    #3 0xf42e39 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/operac/build6/php-src/Zend/zend_vm_execute.h:628
    #4 0xf41bb8 in execute_ex /home/operac/build6/php-src/Zend/zend_vm_execute.h:429
    #5 0xf41e33 in zend_execute /home/operac/build6/php-src/Zend/zend_vm_execute.h:474
    #6 0xe5bc28 in zend_execute_scripts /home/operac/build6/php-src/Zend/zend.c:1464
    #7 0xd16ba3 in php_execute_script /home/operac/build6/php-src/main/main.c:2533
    #8 0x10c8e6a in do_cli /home/operac/build6/php-src/sapi/cli/php_cli.c:990
    #9 0x10cac87 in main /home/operac/build6/php-src/sapi/cli/php_cli.c:1378
    #10 0x7f3b14ea982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x431e88 in _start (/home/operac/build6/bin/php+0x431e88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/operac/build6/php-src/Zend/zend_variables.h:39 _zval_ptr_dtor_nogc

-------------------------------------

GDB output:

gdb -q --args /home/operac/build6/bin/php -n poc.php
Reading symbols from /home/operac/build6/bin/php...done.
(gdb) r
Starting program: /home/operac/build6/bin/php -n poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000008bc4d2 in _zval_ptr_dtor_nogc (zval_ptr=0x0, __zend_filename=0x1679360 "/home/operac/build6/php-src/ext/mbstring/php_mbregex.c", __zend_lineno=711) at /home/operac/build6/php-src/Zend/zend_variables.h:39
39              if (Z_REFCOUNTED_P(zval_ptr) && !Z_DELREF_P(zval_ptr)) {


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-16 03:49 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-11-16 03:49 UTC] stas@php.net
Not released version, no need to hide.
 [2016-11-16 07:13 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=229024c7250d0a11fe9a83094a7e30b6fb83ad90
Log: Fixed bug #73532 (Null pointer dereference in mb_eregi)
 [2016-11-16 07:13 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-11-16 07:14 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=229024c7250d0a11fe9a83094a7e30b6fb83ad90
Log: Fixed bug #73532 (Null pointer dereference in mb_eregi)
 [2016-11-22 13:14 UTC] krakjoe@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=229024c7250d0a11fe9a83094a7e30b6fb83ad90
Log: Fixed bug #73532 (Null pointer dereference in mb_eregi)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 02 21:01:28 2024 UTC