php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77738 Nullptr deref in zend_compile_expr
Submitted: 2019-03-13 16:11 UTC Modified: 2019-03-13 16:17 UTC
From: bugs-syssec at rub dot de Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.3.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugs-syssec at rub dot de
New email:
PHP Version: OS:

 

 [2019-03-13 16:11 UTC] bugs-syssec at rub dot de
Description:
------------
$ ./php --version
PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies

Test script:
---------------
https://filebin.ca/4a3zeQt3E7a5/nullptr_deref-zend_compile_expr.php

Expected result:
----------------
No crash.

Actual result:
--------------
==4473== Memcheck, a memory error detector
==4473== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4473== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==4473== Command: ./php-plain nullptr_deref-zend_compile_expr.php
==4473== 
==4473== Invalid read of size 2
==4473==    at 0x50C0DB: zend_compile_const (zend_compile.c:7709)
==4473==    by 0x50E604: zend_compile_expr (zend_compile.c:8371)
==4473==    by 0x51505D: zend_compile_stmt (zend_compile.c:8256)
==4473==    by 0x517F74: zend_compile_top_stmt (zend_compile.c:8142)
==4473==    by 0x517F60: zend_compile_top_stmt (zend_compile.c:8137)
==4473==    by 0x4F0958: zend_compile (zend_language_scanner.l:602)
==4473==    by 0x4F1ED9: compile_file (zend_language_scanner.l:636)
==4473==    by 0x3DE0FB: phar_compile_file (phar.c:3344)
==4473==    by 0x528A2A: zend_execute_scripts (zend.c:1562)
==4473==    by 0x4C949F: php_execute_script (main.c:2630)
==4473==    by 0x5B88BB: do_cli (php_cli.c:997)
==4473==    by 0x21105A: main (php_cli.c:1389)
==4473==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4473== 
==4473== 
==4473== Process terminating with default action of signal 11 (SIGSEGV)
==4473==  Access not within mapped region at address 0x0
==4473==    at 0x50C0DB: zend_compile_const (zend_compile.c:7709)
==4473==    by 0x50E604: zend_compile_expr (zend_compile.c:8371)
==4473==    by 0x51505D: zend_compile_stmt (zend_compile.c:8256)
==4473==    by 0x517F74: zend_compile_top_stmt (zend_compile.c:8142)
==4473==    by 0x517F60: zend_compile_top_stmt (zend_compile.c:8137)
==4473==    by 0x4F0958: zend_compile (zend_language_scanner.l:602)
==4473==    by 0x4F1ED9: compile_file (zend_language_scanner.l:636)
==4473==    by 0x3DE0FB: phar_compile_file (phar.c:3344)
==4473==    by 0x528A2A: zend_execute_scripts (zend.c:1562)
==4473==    by 0x4C949F: php_execute_script (main.c:2630)
==4473==    by 0x5B88BB: do_cli (php_cli.c:997)
==4473==    by 0x21105A: main (php_cli.c:1389)
==4473==  If you believe this happened as a result of a stack
==4473==  overflow in your program's main thread (unlikely but
==4473==  possible), you can try to increase the size of the
==4473==  main thread stack using the --main-stacksize= flag.
==4473==  The main thread stack size used in this run was 8388608.
==4473== 
==4473== HEAP SUMMARY:
==4473==     in use at exit: 1,312,694 bytes in 10,199 blocks
==4473==   total heap usage: 10,801 allocs, 602 frees, 1,668,856 bytes allocated
==4473== 
==4473== LEAK SUMMARY:
==4473==    definitely lost: 0 bytes in 0 blocks
==4473==    indirectly lost: 0 bytes in 0 blocks
==4473==      possibly lost: 1,049,520 bytes in 9,070 blocks
==4473==    still reachable: 263,174 bytes in 1,129 blocks
==4473==         suppressed: 0 bytes in 0 blocks
==4473== Rerun with --leak-check=full to see details of leaked memory
==4473== 
==4473== For counts of detected and suppressed errors, rerun with: -v
==4473== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-13 16:13 UTC] spam2 at rhsoft dot net
PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )

don't you think it's a bad idea to report a bug against a month old build when 7.3.3 is the recent version with a ton of bugreports and fixes in the meantime?
 [2019-03-13 16:15 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-03-13 16:15 UTC] nikic@php.net
Verified that this still crashes on current PHP-7.3 head.
 [2019-03-13 16:17 UTC] nikic@php.net
-Status: Verified +Status: Analyzed
 [2019-03-13 16:17 UTC] nikic@php.net
Simpler reproducer:

<?php
var_dump(__COMPILER_HALT_OFFSET__);
; // <- important

Null statements are not handled.
 [2019-03-14 08:48 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c7920aba3e1892accca7cd13ef5b8a8fbf48b5c2
Log: Fixed bug #77738 (Nullptr deref in zend_compile_expr)
 [2019-03-14 08:48 UTC] laruence@php.net
-Status: Analyzed +Status: Closed
 [2019-03-14 16:27 UTC] nikic@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c7920aba3e1892accca7cd13ef5b8a8fbf48b5c2
Log: Fixed bug #77738 (Nullptr deref in zend_compile_expr)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC