Skip to content

Commit

Permalink
Fix #76813: Access violation near NULL on source operand
Browse files Browse the repository at this point in the history 
We avoid `YYCURSOR` becoming `NULL` by initializing `YYMARKER`, and add
a default rule for `<NORMAL>` where we catch unexpected input.

We also fix the only superficially related issue regarding empty input
followed by `T_SEPARATOR` and command, which caused another segfault.

Closes GH-6464.
  • Loading branch information
@cmb69
cmb69 committed Nov 30, 2020
1 parent b855907 commit 5e15c9c
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 3 deletions.
3 changes: 3 additions & 0 deletions NEWS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ PHP NEWS
. Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to
lack of OCB support). (Nikita)

- Phpdbg:
. Fixed bug #76813 (Access violation near NULL on source operand). (cmb)

- Standard:
. Fixed bug #80366 (Return Value of zend_fstat() not Checked). (sagpant, cmb)
. Fixed bug #80411 (References to null-serialized object break serialize()).
Expand Down
6 changes: 5 additions & 1 deletion sapi/phpdbg/phpdbg_lexer.l
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ void phpdbg_init_lexer (phpdbg_param_t *stack, char *input) {

YYSETCONDITION(INITIAL);

LEX(text) = YYCURSOR = (unsigned char *) input;
LEX(text) = YYCURSOR = YYMARKER = (unsigned char *) input;
LEX(len) = strlen(input);
}

Expand Down Expand Up @@ -165,6 +165,10 @@ INPUT ("\\"[#"']|["]("\\\\"|"\\"["]|[^\n\000"])+["]|[']("\\"[']|"\\\\"|[^\
return T_ID;
}
<NORMAL>* {

This comment has been minimized.

Sign in to view

Copy link
@rlerdorf

rlerdorf Jan 8, 2021

Member

Note that this syntax requires re2c >= 0.13.7 and PHP 8 min version for re2c is set to 0.13.4. This will fail with a re2c: error: line 168, column 9: syntax error on re2c 0.13.4

This comment has been minimized.

Sign in to view

Copy link
@cmb69

cmb69 Jan 8, 2021

Author Contributor

This commit has been reverted from PHP-7.4 (never shipped in a GA), and only be applied to PHP-8.0 where the minimum version of re2c has been bumped (#6516). Is re2c 0.13.4 still something that we need to support for PHP-8.0?
return T_UNEXPECTED;
}
<RAW>{INPUT} {
phpdbg_init_param(yylval, STR_PARAM);
yylval->str = estrdup(yytext);
Expand Down
8 changes: 6 additions & 2 deletions sapi/phpdbg/phpdbg_parser.y
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,15 @@ typedef void* yyscan_t;
%% /* Rules */

input
: command { $$ = $1; }
| input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; }
: non_empty_input { $$ = $1; }
| /* empty */
;

non_empty_input
: command { $$ = $1; }
| non_empty_input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; }
;

command
: parameters { $$.top = PHPDBG_G(parser_stack)->top; }
| full_expression { phpdbg_stack_push(PHPDBG_G(parser_stack), &$1); $$.top = PHPDBG_G(parser_stack)->top; }
Expand Down
10 changes: 10 additions & 0 deletions sapi/phpdbg/tests/bug76813.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
--TEST--
Bug #76813 (Access_violation_near_NULL_on_source_operand)
--PHPDBG--
"#!==)===\377\377\276\242="
#!==)===\377\377\276\242=
--EXPECT--
prompt> [Parse Error: syntax error, unexpected input, expecting $end]
prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end]
prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end]
prompt>

0 comments on commit 5e15c9c

Please sign in to comment.