php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76813 Access_violation_near_NULL_on_source_operand
Submitted: 2018-08-30 07:19 UTC Modified: 2018-09-06 15:02 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: songmingxuan at cert dot org dot cn Assigned:
Status: Verified Package: Reproducible crash
PHP Version: 7.2.9 OS: ubuntu/windows
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-08-30 07:19 UTC] songmingxuan at cert dot org dot cn
Description:
------------
First, run phpdbg.
And input string  "#!==)===\377\377\276\242="

for example:
-------------
prompt> "#!==)===\377\377\276\242="
[PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to al
locate 4257214139 bytes) in Unknown on line 0]
[Could not find information about included file...]
prompt>
------------
Input program crash again

Test script:
---------------
input string  "#!==)===\377\377\276\242="  in phpdbg.

Expected result:
----------------
I hope the program runs as usual. Same as CMD. Not crumble.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-30 07:44 UTC] songmingxuan at cert dot org dot cn
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2018-08-30 07:44 UTC] songmingxuan at cert dot org dot cn
It could be safety.
 [2018-08-30 09:34 UTC] cmb@php.net
If this issue affects phpdbg only, it wouldn't be a security issue.
 [2018-08-30 09:53 UTC] songmingxuan at cert dot org dot cn
Well! Thank you for your reply. Your confirmation is authoritative. I changed it to bug. But it is indeed a problem. I still hope that you can rectify it. Thank you very much.
 [2018-08-30 10:05 UTC] songmingxuan at cert dot org dot cn
I can't change the title to a bug here. No privileges. I hope you can change the Sec Bug to Bug.Thank!
 [2018-08-30 10:22 UTC] songmingxuan at cert dot org dot cn
I just GDB down. The display information is:
----------
#0  __memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:578
#1  0x08ed3f23 in memcpy (__len=0x485fdf7a, __src=0xb7a02080, __dest=<optimized out>) at /usr/include/i386-linux-gnu/bits/string3.h:53
#2  _estrndup (s=0xb7a02080 "#!==)===377377376242=\\242=\"\n", length=length@entry=0x485fdf7a)
    at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2538
#3  0x093c5c9b in phpdbg_lex (yylval=0xbfff9760) at sapi/phpdbg/phpdbg_lexer.l:163
#4  0x093c17f5 in phpdbg_parse () at sapi/phpdbg/phpdbg_parser.c:1392
#5  0x093c2251 in phpdbg_do_parse (stack=0xbfffbca0, input=0xb7a02080 "#!==)===377377376242=\\242=\"\n") at sapi/phpdbg/phpdbg_parser.y:204
#6  0x093db78a in phpdbg_interactive (allow_async_unsafe=0x1, input=0x0) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg_prompt.c:1622
#7  0x093b9684 in php_sapi_phpdbg_log_message (
    message=0xb7a6a000 "PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 1214242715 bytes) in Unknown on line 0", syslog_type_int=0x3) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg.c:887
#8  0x0807315e in php_log_err_with_severity (
    log_message=0xb7a6a000 "PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 1214242715 bytes) in Unknown on line 0", syslog_type_int=0x3) at /home/s/Desktop/php-7.2.8/main/main.c:726
#9  0x08074101 in php_error_cb (type=0x1, error_filename=0x9468fa0 "Unknown", error_lineno=0x0, 
    format=0x9a93730 "Allowed memory size of %zu bytes exhausted (tried to allocate %zu bytes)", args=0xbfffbea8 "")
    at /home/s/Desktop/php-7.2.8/main/main.c:1163
#10 0x0807b443 in zend_error (type=0x1, format=0x9a93730 "Allowed memory size of %zu bytes exhausted (tried to allocate %zu bytes)")
    at /home/s/Desktop/php-7.2.8/Zend/zend.c:1230
#11 0x08079c2e in zend_mm_safe_error (
    format=format@entry=0x9a93730 "Allowed memory size of %zu bytes exhausted (tried to allocate %zu bytes)", limit=0x8000000, 
    size=0x485fdf9b, heap=0xb7a00040) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:380
#12 0x08ec1086 in zend_mm_alloc_huge (size=0x485fdf9b, heap=0xb7a00040) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:1738
#13 zend_mm_alloc_heap (size=0x485fdf9b, heap=0xb7a00040) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:1369
#14 _zend_mm_alloc (heap=0xb7a00040, size=0x485fdf9b) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2270
#15 0x08ed3f82 in _emalloc (size=0x485fdf9b) at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2429
#16 _estrndup (s=0xb7a02060 "#!==)===377377376242=\\242=\"\n", length=length@entry=0x485fdf9a)
    at /home/s/Desktop/php-7.2.8/Zend/zend_alloc.c:2537
#17 0x093c5c9b in phpdbg_lex (yylval=0xbfffc070) at sapi/phpdbg/phpdbg_lexer.l:163
#18 0x093c17f5 in phpdbg_parse () at sapi/phpdbg/phpdbg_parser.c:1392
#19 0x093c2251 in phpdbg_do_parse (stack=0xbfffe5b0, input=0xb7a02060 "#!==)===377377376242=\\242=\"\n") at sapi/phpdbg/phpdbg_parser.y:204
#20 0x093db78a in phpdbg_interactive (allow_async_unsafe=0x1, input=0x0) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg_prompt.c:1622
#21 0x0808951a in main (argc=0x1, argv=0xbfffeff4) at /home/s/Desktop/php-7.2.8/sapi/phpdbg/phpdbg.c:2001
#22 0xb7c40637 in __libc_start_main (main=0x8084ba0 <main>, argc=0x1, argv=0xbfffeff4, init=0x9468640 <__libc_csu_init>, 
    fini=0x94686a0 <__libc_csu_fini>, rtld_fini=0xb7fea880 <_dl_fini>, stack_end=0xbfffefec) at ../csu/libc-start.c:291
#23 0x0808a857 in _start ()
---------
Please check it over there. ;)
 [2018-08-30 11:25 UTC] remi@php.net
-Type: Security +Type: Bug
 [2018-09-06 14:42 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-09-06 14:42 UTC] cmb@php.net
The problem is that the lexer doesn't properly recognize the end
of the input, and calculates yyleng based on YYCURSOR[1], which
may be zero.  It seems to me that this also may result in a memory
corruption, since entering the string on the prompt again, leads
to a crash (tested on Windows).

[1] <https://github.com/php/php-src/blob/php-7.3.0beta3/sapi/phpdbg/phpdbg_lexer.l#L87>
 [2018-09-06 15:02 UTC] songmingxuan at cert dot org dot cn
This problem. It may be a Integer Overflow problem. It seems to affect phpdbg only. I suggest you repair it.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sat Nov 17 03:01:25 2018 UTC