You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In is_handle_exception_set(),the option of -w or -s will make the program execute the function is_handle_exception_set. And the value of EG(current_execute_data) namely executor_globals.current_execute_data remains 0 from the parse of -w or -s to the is_handle_exception_set call. As a result, nullptr dereference will occur.
Test Environment
Ubuntu 20.04, 64 bit PHP (version: 8.0.23)
How to trigger
Compile the program with AddressSanitizer
Run command $ ./php -s -w POC
Details
ASAN report
$ ../php -s -w POC
<?php
$flor="red"; switch ($favcolo; break; case "blue": echo "2"; ":
echo "d; break; default� echo "4"; } ?>AddressSanitizer:DEADLYSIGNAL
=================================================================
==805955==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000022e4bc5 bp 0x7fffbee259f0 sp 0x7fffbee258d0 T0)
==805955==The signal is caused by a READ memory access.
==805955==Hint: address points to the zero page.
#0 0x22e4bc5 in is_handle_exception_set /home/root/php/sourcecode/php/Zend/zend_exceptions.c:149:10
#1 0x22e4bc5 in zend_throw_exception_internal /home/root/php/sourcecode/php/Zend/zend_exceptions.c:177:4
#2 0x22ffd34 in zend_throw_exception_zstr /home/root/php/sourcecode/php/Zend/zend_exceptions.c:866:2
#3 0x22e9fdf in zend_throw_exception /home/root/php/sourcecode/php/Zend/zend_exceptions.c:875:20
#4 0x1a4d23d in report_bad_nesting /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:1270:2
#5 0x1a4ce37 in check_nesting_at_end /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:1304:3
#6 0x1a3d45f in lex_scan /home/root/php/sourcecode/php/Zend/zend_language_scanner.l:2195:3
#7 0x1b93834 in zend_strip /home/root/php/sourcecode/php/Zend/zend_highlight.c:180:21
#8 0x246f9d0 in do_cli /home/root/php/sourcecode/php/sapi/cli/php_cli.c:964:5
#9 0x246bac2 in main /home/root/php/sourcecode/php/sapi/cli/php_cli.c:1339:18
#10 0x7ff2d96e5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x60289d in _start (/home/root/php/fuzz/php/php_a_s_w_random/php+0x60289d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/root/php/sourcecode/php/Zend/zend_exceptions.c:149:10 in is_handle_exception_set
==805955==ABORTING
Description
PHP NullPtr dereference - by misuse of the option "-w" or "-s"
When the program input contains the option of "-w" or "-s", the program will dereference null pointer and cause crash.
PHP/Zend/zend_exceptions.c Line 147:152
In
is_handle_exception_set()
,the option of-w
or-s
will make the program execute the functionis_handle_exception_set
. And the value ofEG(current_execute_data)
namelyexecutor_globals.current_execute_data
remains 0 from the parse of-w
or-s
to theis_handle_exception_set
call. As a result, nullptr dereference will occur.Test Environment
Ubuntu 20.04, 64 bit PHP (version: 8.0.23)
How to trigger
$ ./php -s -w POC
Details
ASAN report
POC can be downloaded from https://github.com/randomssr/bugissues/blob/main/php/POC
PHP Version
PHP 8.0.23
Operating System
No response
The text was updated successfully, but these errors were encountered: