php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74146 Null pointer dereference in _zval_get_long_func_ex()
Submitted: 2017-02-22 07:48 UTC Modified: 2017-03-02 18:37 UTC
From: fumfi dot 255 at gmail dot com Assigned: pollita (profile)
Status: Closed Package: Unknown/Other Function
PHP Version: 7.1.2 OS: Linux x64
Private report: No CVE-ID: None
 [2017-02-22 07:48 UTC] fumfi dot 255 at gmail dot com
Description:
------------
After some fuzz testing I found a crashing test case.

PHP 7.1.2 compiled from source with ASAN.

To reproduce: /php-7.1.2/sapi/cli/php php_zend_null_ptr.php

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==26915==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000159 (pc 0x00000181faa6 bp 0x7fffa1f671b0 sp 0x7fffa1f670a0 T0)
==26915==The signal is caused by a READ memory access.
==26915==Hint: address points to the zero page.
    #0 0x181faa5 in _zval_get_long_func_ex XYZ/php-7.1.2/Zend/zend_operators.c:787:5
    #1 0x181faa5 in _zval_get_long_func XYZ/php-7.1.2/Zend/zend_operators.c:805
    #2 0x17b581d in _zval_get_long XYZ/php-7.1.2/Zend/zend_operators.h:270:50
    #3 0x17b581d in zend_compile_declare XYZ/php-7.1.2/Zend/zend_compile.c:4973
    #4 0x17a6806 in zend_compile_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7834:4
    #5 0x17cada3 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7756:2
    #6 0x17cad48 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7751:4
    #7 0x16e65c6 in zend_compile XYZ/php-7.1.2/Zend/zend_language_scanner.l:601:3
    #8 0x16e5f34 in compile_file XYZ/php-7.1.2/Zend/zend_language_scanner.l:635:14
    #9 0x11ba040 in phar_compile_file XYZ/php-7.1.2/ext/phar/phar.c:3320:9
    #10 0x185b1a8 in zend_execute_scripts XYZ/php-7.1.2/Zend/zend.c:1469:14
    #11 0x161d54d in php_execute_script XYZ/php-7.1.2/main/main.c:2537:14
    #12 0x1ccd48b in do_cli XYZ/php-7.1.2/sapi/cli/php_cli.c:993:5
    #13 0x1cca38e in main XYZ/php-7.1.2/sapi/cli/php_cli.c:1381:18
    #14 0x7f5bac0ed82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x463528 in _start (XYZ/php-7.1.2/sapi/cli/php+0x463528)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.2/Zend/zend_operators.c:787:5 in _zval_get_long_func_ex
==26915==ABORTING

Test script:
---------------
<?(function(){});function f(){}declare(ticks=±){}


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-02 16:52 UTC] fumfi dot 255 at gmail dot com
This is CVE-2017-6441.
 [2017-03-02 18:31 UTC] nikic@php.net
Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.
 [2017-03-02 18:37 UTC] requinix@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita
 [2017-03-02 18:37 UTC] requinix@php.net
The PR was merged.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 24 23:03:36 2021 UTC