|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75002 Null Pointer Dereference in timelib_time_clone
Submitted: 2017-07-28 10:08 UTC Modified: 2017-07-30 19:41 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Closed Package: SPL related
PHP Version: 5.6.31, 7.1.7 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version: OS:


 [2017-07-28 10:08 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Since the argument origts to 0, the null pointer is interpreted.

Test script:

class aaa extends DatePeriod {
	public function __construct() { }

$start=new DateTime( '2012-08-01' );

foreach (new aaa($start) as $y){



Expected result:
no crash

Actual result:
root@ubuntu:/home/hjy/Desktop# ./php-7.1.7/sapi/cli/php poc.php 
==6186==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x081c3fb7 sp 0xbfde97f0 bp 0xbfde9818 T0)
    #0 0x81c3fb6 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:51
    #1 0x81c3fb6 in timelib_time_clone /home/hjy/Desktop/php-7.1.7/ext/date/lib/timelib.c:58
    #2 0x80be985 in date_period_it_rewind /home/hjy/Desktop/php-7.1.7/ext/date/php_date.c:1947
    #3 0xa12536a in ZEND_FE_RESET_R_SPEC_VAR_HANDLER /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:16525
    #4 0x9f38f6f in execute_ex /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:429
    #5 0xa34f88b in zend_execute /home/hjy/Desktop/php-7.1.7/Zend/zend_vm_execute.h:474
    #6 0x9c69108 in zend_execute_scripts /home/hjy/Desktop/php-7.1.7/Zend/zend.c:1476
    #7 0x98eb275 in php_execute_script /home/hjy/Desktop/php-7.1.7/main/main.c:2537
    #8 0xa35f295 in do_cli /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:993
    #9 0x80a8ceb in main /home/hjy/Desktop/php-7.1.7/sapi/cli/php_cli.c:1381
    #10 0xb6bdca82 in __libc_start_main (/lib/i386-linux-gnu/
    #11 0x80a995f (/home/hjy/Desktop/php-7.1.7/sapi/cli/php+0x80a995f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/i386-linux-gnu/bits/string3.h:51 memcpy


date-period-ctor-75002.txt.diff (last revision 2017-07-28 11:40 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-28 10:44 UTC]
-PHP Version: 7.1.7 +PHP Version: 5.6.31, 7.1.7
 [2017-07-28 10:44 UTC]
DatePeriod, wrapping internal structures, should not be extendable. In any case, I can reproduce this and I'm looking at a fix right now.
 [2017-07-28 11:40 UTC]
The following patch has been added/updated:

Patch Name: date-period-ctor-75002.txt.diff
Revision:   1501242055
 [2017-07-30 19:41 UTC]
-Type: Security +Type: Bug
 [2017-08-02 14:43 UTC]
Automatic comment on behalf of derick
Log: Fixed bug #75002 Null Pointer Dereference in timelib_time_clone
 [2017-08-02 14:43 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Jan 27 21:03:35 2022 UTC