diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-11-28 13:47:37 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-11-30 12:29:24 +0100 |
| commit | 5e15c9c41f8318a8392c2e2c78544f218736549c (patch) | |
| tree | 9c1aae646e4ff105311773f8209afe7d6b783dba /sapi/phpdbg | |
| parent | b855907f545cddc8f70e8a482da254a7740fb00d (diff) | |
| download | php-git-5e15c9c41f8318a8392c2e2c78544f218736549c.tar.gz | |
Fix #76813: Access violation near NULL on source operand
We avoid `YYCURSOR` becoming `NULL` by initializing `YYMARKER`, and add
a default rule for `<NORMAL>` where we catch unexpected input.
We also fix the only superficially related issue regarding empty input
followed by `T_SEPARATOR` and command, which caused another segfault.
Closes GH-6464.
Diffstat (limited to 'sapi/phpdbg')
| -rw-r--r-- | sapi/phpdbg/phpdbg_lexer.l | 6 | ||||
| -rw-r--r-- | sapi/phpdbg/phpdbg_parser.y | 8 | ||||
| -rw-r--r-- | sapi/phpdbg/tests/bug76813.phpt | 10 |
3 files changed, 21 insertions, 3 deletions
diff --git a/sapi/phpdbg/phpdbg_lexer.l b/sapi/phpdbg/phpdbg_lexer.l index 422cda4f2c..e57702ba0b 100644 --- a/sapi/phpdbg/phpdbg_lexer.l +++ b/sapi/phpdbg/phpdbg_lexer.l @@ -33,7 +33,7 @@ void phpdbg_init_lexer (phpdbg_param_t *stack, char *input) { YYSETCONDITION(INITIAL); - LEX(text) = YYCURSOR = (unsigned char *) input; + LEX(text) = YYCURSOR = YYMARKER = (unsigned char *) input; LEX(len) = strlen(input); } @@ -165,6 +165,10 @@ INPUT ("\\"[#"']|["]("\\\\"|"\\"["]|[^\n\000"])+["]|[']("\\"[']|"\\\\"|[^\ return T_ID; } +<NORMAL>* { + return T_UNEXPECTED; +} + <RAW>{INPUT} { phpdbg_init_param(yylval, STR_PARAM); yylval->str = estrdup(yytext); diff --git a/sapi/phpdbg/phpdbg_parser.y b/sapi/phpdbg/phpdbg_parser.y index 3031ce5a80..4c4a339c0a 100644 --- a/sapi/phpdbg/phpdbg_parser.y +++ b/sapi/phpdbg/phpdbg_parser.y @@ -63,11 +63,15 @@ typedef void* yyscan_t; %% /* Rules */ input - : command { $$ = $1; } - | input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; } + : non_empty_input { $$ = $1; } | /* empty */ ; +non_empty_input + : command { $$ = $1; } + | non_empty_input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; } + ; + command : parameters { $$.top = PHPDBG_G(parser_stack)->top; } | full_expression { phpdbg_stack_push(PHPDBG_G(parser_stack), &$1); $$.top = PHPDBG_G(parser_stack)->top; } diff --git a/sapi/phpdbg/tests/bug76813.phpt b/sapi/phpdbg/tests/bug76813.phpt new file mode 100644 index 0000000000..61e5e3fea6 --- /dev/null +++ b/sapi/phpdbg/tests/bug76813.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #76813 (Access_violation_near_NULL_on_source_operand) +--PHPDBG-- +"#!==)===\377\377\276\242=" +#!==)===\377\377\276\242= +--EXPECT-- +prompt> [Parse Error: syntax error, unexpected input, expecting $end] +prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end] +prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end] +prompt> |