php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75002 Null Pointer Dereference in timelib_time_clone
Submitted: 2017-07-28 10:08 UTC Modified: 2017-07-30 19:41 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Closed Package: SPL related
PHP Version: 5.6.31, 7.1.7 OS:
Private report: No CVE-ID:
 [2017-07-28 10:08 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Description:
------------
Since the argument origts to 0, the null pointer is interpreted.

Test script:
---------------
<?php

class aaa extends DatePeriod {
   
	public function __construct() { }
}

$start=new DateTime( '2012-08-01' );

foreach (new aaa($start) as $y){

 $a=$key;

}


Expected result:
----------------
no crash

Actual result:
--------------
root@ubuntu:/home/hjy/Desktop# ./php-7.1.7/sapi/cli/php poc.php 
ASAN:SIGSEGV
=================================================================
==6186==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x081c3fb7 sp 0xbfde97f0 bp 0xbfde9818 T0)
    #0 0x81c3fb6 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:51
    #1 0x81c3fb6 in timelib_time_clone /home/hjy/Desktop/php-7.1.7/ext/date/lib/timelib.c:58
    #2 0x80be985 in date_period_it_rewind /home/hjy/Desktop/php-7.1.7/ext/date/php_date.c:1947
    #3 0xa12536a in ZEND_FE_RESET_R_SPEC_VAR_HANDLER /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:16525
    #4 0x9f38f6f in execute_ex /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
    #5 0xa34f88b in zend_execute /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
    #6 0x9c69108 in zend_execute_scripts /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
    #7 0x98eb275 in php_execute_script /home/hjy/Desktop/php-7.1.7/main/main.c:2537
    #8 0xa35f295 in do_cli /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
    #9 0x80a8ceb in main /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
    #10 0xb6bdca82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #11 0x80a995f (/home/hjy/Desktop/php-7.1.7/sapi/cli/php+0x80a995f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/i386-linux-gnu/bits/string3.h:51 memcpy
==6186==ABORTING


Patches

date-period-ctor-75002.txt.diff (last revision 2017-07-28 11:40 UTC) by derick@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-28 10:44 UTC] derick@php.net
-PHP Version: 7.1.7 +PHP Version: 5.6.31, 7.1.7
 [2017-07-28 10:44 UTC] derick@php.net
DatePeriod, wrapping internal structures, should not be extendable. In any case, I can reproduce this and I'm looking at a fix right now.
 [2017-07-28 11:40 UTC] derick@php.net
The following patch has been added/updated:

Patch Name: date-period-ctor-75002.txt.diff
Revision:   1501242055
URL:        https://bugs.php.net/patch-display.php?bug=75002&patch=date-period-ctor-75002.txt.diff&revision=1501242055
 [2017-07-30 19:41 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-08-02 14:43 UTC] ab@php.net
Automatic comment on behalf of derick
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b112d09013088e73676eee77f04a906d15fbd1a7
Log: Fixed bug #75002 Null Pointer Dereference in timelib_time_clone
 [2017-08-02 14:43 UTC] ab@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC