PHP :: Bug #74146 :: Null pointer dereference in _zval_get_long_func

Bug #74146	Null pointer dereference in _zval_get_long_func_ex()
Submitted:	2017-02-22 07:48 UTC	Modified:	2017-03-02 18:37 UTC
From:	fumfi dot 255 at gmail dot com	Assigned:	pollita (profile)
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	7.1.2	OS:	Linux x64
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 34 - 22 = ?
Subscribe to this entry?

[2017-02-22 07:48 UTC] fumfi dot 255 at gmail dot com

Description:
------------
After some fuzz testing I found a crashing test case.

PHP 7.1.2 compiled from source with ASAN.

To reproduce: /php-7.1.2/sapi/cli/php php_zend_null_ptr.php

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==26915==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000159 (pc 0x00000181faa6 bp 0x7fffa1f671b0 sp 0x7fffa1f670a0 T0)
==26915==The signal is caused by a READ memory access.
==26915==Hint: address points to the zero page.
    #0 0x181faa5 in _zval_get_long_func_ex XYZ/php-7.1.2/Zend/zend_operators.c:787:5
    #1 0x181faa5 in _zval_get_long_func XYZ/php-7.1.2/Zend/zend_operators.c:805
    #2 0x17b581d in _zval_get_long XYZ/php-7.1.2/Zend/zend_operators.h:270:50
    #3 0x17b581d in zend_compile_declare XYZ/php-7.1.2/Zend/zend_compile.c:4973
    #4 0x17a6806 in zend_compile_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7834:4
    #5 0x17cada3 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7756:2
    #6 0x17cad48 in zend_compile_top_stmt XYZ/php-7.1.2/Zend/zend_compile.c:7751:4
    #7 0x16e65c6 in zend_compile XYZ/php-7.1.2/Zend/zend_language_scanner.l:601:3
    #8 0x16e5f34 in compile_file XYZ/php-7.1.2/Zend/zend_language_scanner.l:635:14
    #9 0x11ba040 in phar_compile_file XYZ/php-7.1.2/ext/phar/phar.c:3320:9
    #10 0x185b1a8 in zend_execute_scripts XYZ/php-7.1.2/Zend/zend.c:1469:14
    #11 0x161d54d in php_execute_script XYZ/php-7.1.2/main/main.c:2537:14
    #12 0x1ccd48b in do_cli XYZ/php-7.1.2/sapi/cli/php_cli.c:993:5
    #13 0x1cca38e in main XYZ/php-7.1.2/sapi/cli/php_cli.c:1381:18
    #14 0x7f5bac0ed82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x463528 in _start (XYZ/php-7.1.2/sapi/cli/php+0x463528)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.2/Zend/zend_operators.c:787:5 in _zval_get_long_func_ex
==26915==ABORTING

Test script:
---------------
<?(function(){});function f(){}declare(ticks=±){}

Patches

Add a Patch

Pull Requests

Pull requests:

Fix potential crash when setting invalid declare value (php-src/2396)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-03-02 16:52 UTC] fumfi dot 255 at gmail dot com

This is CVE-2017-6441.

[2017-03-02 18:31 UTC] nikic@php.net

Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.

[2017-03-02 18:37 UTC] requinix@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita

[2017-03-02 18:37 UTC] requinix@php.net

The PR was merged.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 10:01:31 2024 UTC