CachingIterator null dereference when convert to string

Bug #73073	CachingIterator null dereference when convert to string
Submitted:	2016-09-13 16:25 UTC	Modified:	2017-02-13 01:20 UTC
From:	ahihibughunter at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	SPL related
PHP Version:	5.6.26RC1	OS:	ALL
Private report:	No	CVE-ID:	None

[2016-09-13 16:25 UTC] ahihibughunter at gmail dot com

Description:
------------
SPL_METHOD(CachingIterator, __toString)
{
....
if (intern->u.caching.flags & CIT_TOSTRING_USE_KEY) {
		MAKE_COPY_ZVAL(&intern->current.key, return_value); <- &intern->current.key used without check it's value
		convert_to_string(return_value);
....
}



Test script:
---------------
<?php
$it = new CachingIterator(new ArrayIterator(array()), CachingIterator::TOSTRING_USE_KEY);
var_dump((string)$it);
?>


Expected result:
----------------
no crash

Actual result:
--------------
zx@ubuntu:~/zx/php$ gdb php5/php-src-PHP-5.6.26/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
....
gdb-peda$ r crash.php 
Starting program: /home/zx/zx/php/php5/php-src-PHP-5.6.26/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffffa358 --> 0x7ffff7fbed18 --> 0x0 
RCX: 0x7ffff7fbed18 --> 0x0 
RDX: 0x40 ('@')
RSI: 0x7ffff7fbed18 --> 0x0 
RDI: 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
RBP: 0x7fffffffa050 --> 0x7fffffffa1c0 --> 0x7fffffffa300 --> 0x7fffffffa3a0 --> 0x7fffffffa3f0 --> 0x7fffffffa450 (--> ...)
RSP: 0x7fffffffa000 --> 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
RIP: 0x88d817 (<zim_spl_CachingIterator___toString+210>:	mov    rdx,QWORD PTR [rax+0x8])
R8 : 0x1 
R9 : 0x0 
R10: 0x477 
R11: 0x7ffff4ef1730 --> 0xfffda400fffda12f 
R12: 0x439100 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffddd0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x88d80b <zim_spl_CachingIterator___toString+198>:	mov    rax,QWORD PTR [rbp-0x18]
   0x88d80f <zim_spl_CachingIterator___toString+202>:	mov    rax,QWORD PTR [rax+0x48]
   0x88d813 <zim_spl_CachingIterator___toString+206>:	mov    rcx,QWORD PTR [rbp-0x40]
=> 0x88d817 <zim_spl_CachingIterator___toString+210>:	mov    rdx,QWORD PTR [rax+0x8]
   0x88d81b <zim_spl_CachingIterator___toString+214>:	mov    rax,QWORD PTR [rax]
   0x88d81e <zim_spl_CachingIterator___toString+217>:	mov    QWORD PTR [rcx],rax
   0x88d821 <zim_spl_CachingIterator___toString+220>:	mov    QWORD PTR [rcx+0x8],rdx
   0x88d825 <zim_spl_CachingIterator___toString+224>:	mov    rax,QWORD PTR [rbp-0x18]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa000 --> 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
0008| 0x7fffffffa008 --> 0x7fffffffa358 --> 0x7ffff7fbed18 --> 0x0 
0016| 0x7fffffffa010 --> 0x7ffff7fbed18 --> 0x0 
0024| 0x7fffffffa018 --> 0x1 
0032| 0x7fffffffa020 --> 0x7fffffffa050 --> 0x7fffffffa1c0 --> 0x7fffffffa300 --> 0x7fffffffa3a0 --> 0x7fffffffa3f0 (--> ...)
0040| 0x7fffffffa028 --> 0xa7ddc9 (<_emalloc+111>:	leave)
0048| 0x7fffffffa030 --> 0x7ffff7fbff88 --> 0x1605130 --> 0x1 
0056| 0x7fffffffa038 --> 0x7ffff7fbff88 --> 0x1605130 --> 0x1 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000088d817 in zim_spl_CachingIterator___toString (ht=0x0, return_value=0x7ffff7fbed18, return_value_ptr=0x7fffffffa358, this_ptr=0x7ffff7fbd5f8, return_value_used=0x1)
    at /home/zx/zx/php/php-src-PHP-5.6.26/ext/spl/spl_iterators.c:2866
warning: Source file is more recent than executable.
2866			MAKE_COPY_ZVAL(&intern->current.key, return_value);
gdb-peda$ print intern->current.key
$4 = (zval *) 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-21 06:01 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-21 10:54 UTC] ahihibughunter at gmail dot com

This patch look good.

[2016-10-11 23:45 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2017-02-13 01:20 UTC] stas@php.net

-Type: Security +Type: Bug