Home Original page

PHP :: Bug #68740 :: null pointer deference

Bug #68740 null pointer deference
Submitted: 2015-01-04 10:21 UTC Modified: 2015-01-08 08:15 UTC
From: bugreports at internot dot info Assigned: laruence (profile)
Status: Closed Package: Regexps related
PHP Version: master-Git-2015-01-04 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None

 [2015-01-04 10:21 UTC] bugreports at internot dot info

Description:
------------
Hi,

An explicit null deference happens in /ext/ereg/regex/regcomp.c:


140        g->setbits = NULL;

then this is called:

167        categorize(p, g);

which does this:

1326                if (cats[c] == 0 && isinsets(g, c)) {


And then the isinsets function does this:

1279        for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
1280                if (col[uc] != 0)
1281                        return(1);


which will cause a crash.



Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2015-01-08 08:15 UTC] laruence@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence

 [2015-05-28 20:37 UTC] thoger at redhat dot com

Is there any test case to trigger this crash?

NULL dereference isinsets() can only happen if ncols is greater than 0.  ncols is:

1276         register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;

ncsets is initialized to 0:

 141         g->ncsets = 0;

and only changed in allocset():

1003         register int no = p->g->ncsets++;

Further on in allocset():

1010         if (no >= p->ncsalloc) {        /* need another column of space */
1011                 p->ncsalloc += CHAR_BIT;

...

1020                 if (p->g->setbits == NULL)
1021                         p->g->setbits = (uch *)malloc(nbytes);
1022                 else {
1023                         p->g->setbits = (uch *)realloc((unsigned char *)p->g->setbits,
1024                                                                 nbytes);

ncsalloc is also initialized to 0 and only incremented in allocset().  Hence on the first allocset() call, the code to allocate setbits it reached.  So isinsets() NULL dereference could only happen on failed malloc, and if subsequent SETERROR fails to halt processing as it's meant to.  Is there some code path I'm overlooking?