Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Applying zero offset to null pointer in zend_hash.c #13833

Closed
YuanchengJiang opened this issue Mar 29, 2024 · 1 comment
Closed

Applying zero offset to null pointer in zend_hash.c #13833

YuanchengJiang opened this issue Mar 29, 2024 · 1 comment
Labels
Bug Extension: phar Status: Verified

Comments

@YuanchengJiang
Copy link

YuanchengJiang commented Mar 29, 2024
edited
Loading

Description

Run the following test code (phpt):

--TEST--
Applying zero offset to null pointer in zend_hash.c
--INI--
phar.require_hash=0
phar.readonly=0
--FILE--
<?php
$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar.php';
$pname = 'phar://' . $fname;
$file = "<?php
Phar::mapPhar('hio');
__HALT_COMPILER(); ?>";
$files = array();
$files['a'] = 'a';
include 'files/phar_test.inc';
include $fname;
echo file_get_contents('phar://hio/a');
$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar.php';
$pname = 'phar://' . $fname;
$file = "<?php __HALT_COMPILER(); ?>";
$files = array();
$files['a'] = array('cont' => 'a');
include 'files/phar_test.inc';
foreach($files as $name => $cont) {
    var_dump(file_get_contents($pname.'/'.$name));
}
$phar = new Phar($fname);
var_dump($phar->getMetadata());
$phar->setMetadata((object) ['my' => 'friend']);
unset($phar);
// NOTE: Phar will use the cached value of metadata if setMetaData was called on that Phar path before.
// Save the writes to the phar and use a different file path.
$fname_new = "$fname.copy.php";
copy($fname, $fname_new);
$phar = new Phar($fname_new);
var_dump($phar->getMetadata());
?>
--EXTENSIONS--
phar
--CLEAN--
<?php unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php'); ?>
<?php
unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php');
unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php.copy.php');
?>
--CREDITS--
Yuancheng Jiang <[email protected]>
Felix De Vliegher <[email protected]>
--EXPECT--
a
int(0)
RegexIterator::setMode(): Argument #1 ($mode) must be RegexIterator::MATCH, RegexIterator::GET_MATCH, RegexIterator::ALL_MATCHES, RegexIterator::SPLIT, or RegexIterator::REPLACE
int(0)
string(1) "a"
NULL
object(stdClass)#2 (1) {
  ["my"]=>
  string(6) "friend"
}

phar_test.inc: https://github.com/php/php-src/blob/master/ext/phar/tests/files/phar_test.inc

Resulted in this output:

/php-src/Zend/zend_hash.c:1800:2: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/Zend/zend_hash.c:1800:2 in

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04
nielsdos added a commit to nielsdos/php-src that referenced this issue Mar 31, 2024
@nielsdos
Fix phpGH-13833: Applying zero offset to null pointer in zend_hash.c
a387770 
MAPPHAR_FAIL will call the destructor of the manifest, mounted_dirs, and
virtual_dirs tables. When a new phar object is allocated using (p)ecalloc,
the bytes are zeroed, but the flag for an uninitialized table is
non-zero. So we have to manually set the flag in case that we have a
code path that can destroy the tables without first initializing them at
least once.
nielsdos added a commit to nielsdos/php-src that referenced this issue Mar 31, 2024
@nielsdos
Fix phpGH-13833: Applying zero offset to null pointer in zend_hash.c
4923a3b 
MAPPHAR_FAIL will call the destructor of the manifest, mounted_dirs, and
virtual_dirs tables. When a new phar object is allocated using (p)ecalloc,
the bytes are zeroed, but the flag for an uninitialized table is
non-zero. So we have to manually set the flag in case that we have a
code path that can destroy the tables without first initializing them at
least once.
@nielsdos nielsdos linked a pull request Mar 31, 2024 that will close this issue
Fix GH-13833: Applying zero offset to null pointer in zend_hash.c #13847
Closed
nielsdos added a commit that referenced this issue Mar 31, 2024
@nielsdos
Merge branch 'PHP-8.2' into PHP-8.3
b1a6832 
* PHP-8.2:
  Fix GH-13833: Applying zero offset to null pointer in zend_hash.c
nielsdos added a commit that referenced this issue Mar 31, 2024
@nielsdos
Merge branch 'PHP-8.3'
f590df4 
* PHP-8.3:
  Fix GH-13833: Applying zero offset to null pointer in zend_hash.c
@Jpazm01
Copy link

Jpazm01 commented Jan 27, 2025

#13833

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: phar Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-13833: Applying zero offset to null pointer in zend_hash.c nielsdos/php-src
4 participants
@devnexen @nielsdos @YuanchengJiang @Jpazm01