I came up with a quick fix for this issue in ab5d9e2. However, since I'm not very familiar with the code base I'm not sure if it's the right thing to do. If it is, just ping me and I'll be happy to open a PR. :)
Backtrace and registers:
gdb> r url_mod.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
sanitize_value (flags=<optimized out>, str=0x7ffff167100a " =", len=2, zv=0x0, rfc5987=<optimized out>) at ext/http/src/php_http_params.c:368
0x00000000010eae41 e8 2a 7e 39 ff sanitize_value+53 callq 0x482c70 <memcpy@plt>
0x00000000010eae46 41 c6 44 1f 18 00 sanitize_value+58 movb $0x0,0x18(%r15,%rbx,1)
0x00000000010eae4c 41 f6 44 24 09 04 sanitize_value+64 testb $0x4,0x9(%r12) <-
0x00000000010eae52 74 60 sanitize_value+70 je 0x10eaeb4 <push_param+1220>
0x00000000010eae54 64 48 8b 04 25 00 00 00 00 sanitize_value+72 mov %fs:0x0,%rax
gdb> bt
#0 sanitize_value (flags=<optimized out>, str=0x7ffff167100a " =", len=2, zv=0x0, rfc5987=<optimized out>) at ext/http/src/php_http_params.c:368
#1 push_param (params=<optimized out>, state=<optimized out>, opts=<optimized out>) at ext/http/src/php_http_params.c:558
#2 0x00000000010ea034 in php_http_params_parse (params=<optimized out>, opts=<optimized out>) at ext/http/src/php_http_params.c:753
#3 0x00000000010f6060 in php_http_querystring_parse (ht=<optimized out>, str=<optimized out>, len=<optimized out>) at ext/http/src/php_http_querystring.c:224
#4 0x00000000010f6739 in php_http_querystring_update (qarray=<optimized out>, params=0x7fffffff9f58, outstring=0x0) at ext/http/src/php_http_querystring.c:268
#5 0x00000000010fe4c0 in php_http_url_mod (old_url=<optimized out>, new_url=<optimized out>, flags=<optimized out>) at ext/http/src/php_http_url.c:237
#6 0x000000000110833e in zim_HttpUrl_mod (execute_data=0x7ffff1613130, return_value=<optimized out>) at ext/http/src/php_http_url.c:1670
#7 0x00000000013fedfd in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x7ffff1613030) at Zend/zend_vm_execute.h:1103
#8 0x000000000139b6ae in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#9 0x000000000139c144 in zend_execute (op_array=<optimized out>, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#10 0x00000000012b364b in zend_execute_scripts (type=<optimized out>, retval=<optimized out>, file_count=<optimized out>) at Zend/zend.c:1441
#11 0x000000000116b2b8 in php_execute_script (primary_file=<optimized out>) at main/main.c:2532
#12 0x000000000150cffb in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:990
#13 0x000000000150ac11 in main (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:1383
gdb> i r
rax 0x7ffff16556b8 140737243338424
rbx 0x2 2
rcx 0x3d20 15648
rdx 0x2 2
rsi 0x7ffff1673d20 140737243462944
rdi 0x7ffff16556b8 140737243338424
rbp 0x7ffff167100a 0x7ffff167100a
rsp 0x7fffffff9b60 0x7fffffff9b60
r8 0x7fffffff9b8f 140737488329615
r9 0x1 1
r10 0x477 1143
r11 0x7ffff2c54ea0 140737266405024
r12* 0x0 0
r13 0x7fffffff9d00 140737488329984
r14 0x1dad868 31119464
r15 0x7ffff16556a0 140737243338400
rip 0x10eae4c 0x10eae4c <push_param+1116>
eflags 0x10202 [ IF RF ]
[...]
m6w6
commented
8 years ago
I stumbled across another null ptr deref in
sanitize_value()/php_url_mod()caused by the following code:Result:
I came up with a quick fix for this issue in ab5d9e2. However, since I'm not very familiar with the code base I'm not sure if it's the right thing to do. If it is, just ping me and I'll be happy to open a PR. :)
Backtrace and registers: