php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74146 Null pointer dereference in _zval_get_long_func_ex()
Submitted: 2017-02-22 07:48 UTC Modified: 2017-03-02 18:37 UTC
From: fumfi dot 255 at gmail dot com Assigned: pollita (profile)
Status: Closed Package: Unknown/Other Function
PHP Version: 7.1.2 OS: Linux x64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fumfi dot 255 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-02-22 07:48 UTC] fumfi dot 255 at gmail dot com
Description:
------------
After some fuzz testing I found a crashing test case.

PHP 7.1.2 compiled from source with ASAN.

To reproduce: /php-7.1.2/sapi/cli/php php_zend_null_ptr.php

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==26915==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000159 (pc 0x00000181faa6 bp 0x7fffa1f671b0 sp 0x7fffa1f670a0 T0)
==26915==The signal is caused by a READ memory access.
==26915==Hint: address points to the zero page.
    #0 0x181faa5 in _zval_get_long_func_ex XYZ/php-7.1.2/Zend/zend_operators.c:787:5
    #1 0x181faa5 in _zval_get_long_func XYZ/php-7.1.2/Zend/zend_operators.c:805
    #2 0x17b581d in _zval_get_long XYZ/php-7.1.2/Zend/zend_operators.h:270:50
    #3 0x17b581d in zend_compile_declare XYZ/php-7.1.2/Zend/zend_compile.c:4973
    #4 0x17a6806 in zend_compile_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7834:4
    #5 0x17cada3 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7756:2
    #6 0x17cad48 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7751:4
    #7 0x16e65c6 in zend_compile XYZ/php-7.1.2/Zend/zend_language_scanner.l:601:3
    #8 0x16e5f34 in compile_file XYZ/php-7.1.2/Zend/zend_language_scanner.l:635:14
    #9 0x11ba040 in phar_compile_file XYZ/php-7.1.2/ext/phar/phar.c:3320:9
    #10 0x185b1a8 in zend_execute_scripts XYZ/php-7.1.2/Zend/zend.c:1469:14
    #11 0x161d54d in php_execute_script XYZ/php-7.1.2/main/main.c:2537:14
    #12 0x1ccd48b in do_cli XYZ/php-7.1.2/sapi/cli/php_cli.c:993:5
    #13 0x1cca38e in main XYZ/php-7.1.2/sapi/cli/php_cli.c:1381:18
    #14 0x7f5bac0ed82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x463528 in _start (XYZ/php-7.1.2/sapi/cli/php+0x463528)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.2/Zend/zend_operators.c:787:5 in _zval_get_long_func_ex
==26915==ABORTING

Test script:
---------------
<?(function(){});function f(){}declare(ticks=±){}


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-02 16:52 UTC] fumfi dot 255 at gmail dot com
This is CVE-2017-6441.
 [2017-03-02 18:31 UTC] nikic@php.net
Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.
 [2017-03-02 18:37 UTC] requinix@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita
 [2017-03-02 18:37 UTC] requinix@php.net
The PR was merged.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 03 11:01:27 2024 UTC