: Sec Bug #68545 :: NULL pointer dereference in unserialize.c:var_push_dtor
| Sec Bug #68545 | NULL pointer dereference in unserialize.c:var_push_dtor | ||||
|---|---|---|---|---|---|
| Submitted: | 2014-12-03 23:10 UTC | Modified: | 2014-12-11 20:15 UTC | ||
| From: | charlie at ceriksen dot com | Assigned: | ab (profile) | ||
| Status: | Closed | Package: | Reproducible crash | ||
| PHP Version: | 5.6.3 | OS: | Ubuntu 2.6.32/Debian 3.7 | ||
| Private report: | No | CVE-ID: | None | ||
[2014-12-03 23:10 UTC] charlie at ceriksen dot com
Description: ------------ There's a NULL pointer deference issue in the var_push_dtor function in unserialize.c. By running the test script, you'll get following segfault: Program received signal SIGSEGV, Segmentation fault. var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb858) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62 62 var_entries *var_hash = (*var_hashx)->last_dtor; According to 3v4l.org, it crashes on following versions(http://3v4l.org/BtYZg): 4.3.10 - 4.4.9, 5.0.3 - 5.6.3, php7@20140507 - 20141101: Test script: --------------- <?php echo unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";'); ?> Expected result: ---------------- The interpreter shouldn't crash. Actual result: -------------- (gdb) bt #0 var_push_dtor (var_hashx=0x0, rval=0x7ffff7fdb7d0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:62 #1 0x00000000004481af in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0, ht=0x7ffff7fdb700, elements=4, objprops=0, rval=<optimized out>) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:329 #2 0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x0) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815 #3 0x0000000000447436 in process_nested_data (p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90, ht=0x7ffff7fdb678, elements=5, objprops=0, rval=<optimized out>) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:297 #4 0x0000000000fdc686 in php_var_unserialize (rval=<optimized out>, p=0x7fffffffab80, max=0x7ffff7fdccf7 "", var_hash=0x7fffffffab90) at /home/charlie/php-5.6.3/ext/standard/var_unserializer.c:815 #5 0x0000000000f9884a in zif_unserialize (ht=<optimized out>, return_value=0x7ffff7fda908, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/charlie/php-5.6.3/ext/standard/var.c:965 #6 0x000000000158cf5c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:558 #7 0x0000000001483b1a in execute_ex (execute_data=0x7ffff7fa8110) at /home/charlie/php-5.6.3/Zend/zend_vm_execute.h:363 #8 0x00000000012824cd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/charlie/php-5.6.3/Zend/zend.c:1344 #9 0x000000000105522a in php_execute_script (primary_file=0x7fffffffd1c0) at /home/charlie/php-5.6.3/main/main.c:2584 #10 0x000000000159a1ed in do_cli (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:994 #11 0x000000000045052d in main (argc=3, argv=0x22979a0) at /home/charlie/php-5.6.3/sapi/cli/php_cli.c:1378 #12 0x00007ffff710976d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #13 0x0000000000450601 in _start ()
Patches
68545_55 (last revision 2014-12-04 09:42 UTC by ab@php.net)Pull Requests
History
AllCommentsChangesGit/SVN commits
[2014-12-04 09:49 UTC] ab@php.net
-Status: Open +Status: Feedback
[2014-12-04 09:49 UTC] ab@php.net
[2014-12-04 13:19 UTC] charlie at ceriksen dot com
-Status: Feedback +Status: Open
[2014-12-04 13:19 UTC] charlie at ceriksen dot com
[2014-12-04 15:38 UTC] ab@php.net
[2014-12-10 11:37 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab