Fix a NULL pointer dereference bug lead by php_pcre_replace_impl() #8271
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for the new PR! This is definitely an issue that needs to be fixed in PHP-8.0 and up; I'm not quite sure about what should happen in case Anyhow, a test case matching the PR as is (without the fix, this reproduces the segfault): |
Girgias
reviewed
Apr 1, 2022
If this segfaulted before I suppose we can add an exception? As this seems to be some sort of bug |
Yes, I think the edge-case of a failing preg_replace() has not been properly handled so far. |
php_pcre_replace_impl() will return NULL on failure. However in the function zim_RegexIterator_accept(), the return value of php_pcre_replace_impl() is directly used without any check, which could lead to NULL pointer dereference. Fix this by adding a NULL check.
zhou1615
force-pushed
the
php_pcre_replace_impl
branch
from
8f46842 to
60bf71d
Compare
Girgias
added a commit
to Girgias/php-src
that referenced
this pull request
Feb 6, 2023
… SPL RegexIterator() The regex is precompiled during the constructions of the object at line 1424 in spl_iterators.c Moreover, the warnings emitted by pcre_get_compiled_regex_cache() get promoted to InvalidArgumentExceptions. php_pcre_replace_impl() will only return NULL in case of an internal PCRE error, something which should not happen. Closes phpGH-8271
Girgias
pushed a commit
to Girgias/php-src
that referenced
this pull request
Feb 9, 2023
php_pcre_replace_impl() will return NULL on failure. However, in the implementation of RegexIterator::accept() the return value of php_pcre_replace_impl() is directly used without any check, which leads to a NULL pointer dereference. Fix this by adding a NULL check, and returning false in that case. Closes phpGH-8271 Signed-off-by: George Peter Banyard <[email protected]>
Girgias
pushed a commit
to Girgias/php-src
that referenced
this pull request
Feb 9, 2023
php_pcre_replace_impl() will return NULL on failure. However, in the implementation of RegexIterator::accept() the return value of php_pcre_replace_impl() is directly used without any check, which leads to a NULL pointer dereference. Fix this by adding a NULL check, and returning false in that case. Closes phpGH-8271 Signed-off-by: George Peter Banyard <[email protected]>
Girgias
pushed a commit
to Girgias/php-src
that referenced
this pull request
Feb 13, 2023
php_pcre_replace_impl() will return NULL on failure. However, in the implementation of RegexIterator::accept() the return value of php_pcre_replace_impl() is directly used without any check, which leads to a NULL pointer dereference. Fix this by adding a NULL check, and returning false in that case. Closes phpGH-8271 Signed-off-by: George Peter Banyard <[email protected]>
Girgias
pushed a commit
to Girgias/php-src
that referenced
this pull request
Mar 10, 2023
php_pcre_replace_impl() will return NULL on failure. However, in the implementation of RegexIterator::accept() the return value of php_pcre_replace_impl() is directly used without any check, which leads to a NULL pointer dereference. Fix this by adding a NULL check, and returning false in that case. Closes phpGH-8271 Signed-off-by: George Peter Banyard <[email protected]>
Girgias
pushed a commit
to Girgias/php-src
that referenced
this pull request
Mar 10, 2023
php_pcre_replace_impl() will return NULL on failure. However, in the implementation of RegexIterator::accept() the return value of php_pcre_replace_impl() is directly used without any check, which leads to a NULL pointer dereference. Fix this by adding a NULL check, and returning false in that case. Closes phpGH-8271 Signed-off-by: George Peter Banyard <[email protected]>
|
This fix is incomplete as it leaks memory, but fortunately this was already fixed by b3a56bd (including a test) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
php_pcre_replace_impl() will return NULL on failure. However in the function
zim_RegexIterator_accept(), the return value of php_pcre_replace_impl()
is directly used without any check, which could lead to NULL
pointer dereference.
Fix this by adding a NULL check.
This bug is found by a static analyzer, so it is hard to reproduce it.