From 5e15c9c41f8318a8392c2e2c78544f218736549c Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 28 Nov 2020 13:47:37 +0100 Subject: Fix #76813: Access violation near NULL on source operand We avoid `YYCURSOR` becoming `NULL` by initializing `YYMARKER`, and add a default rule for `` where we catch unexpected input. We also fix the only superficially related issue regarding empty input followed by `T_SEPARATOR` and command, which caused another segfault. Closes GH-6464. --- NEWS | 3 +++ sapi/phpdbg/phpdbg_lexer.l | 6 +++++- sapi/phpdbg/phpdbg_parser.y | 8 ++++++-- sapi/phpdbg/tests/bug76813.phpt | 10 ++++++++++ 4 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 sapi/phpdbg/tests/bug76813.phpt diff --git a/NEWS b/NEWS index 7ede11b09c..6943db07f6 100644 --- a/NEWS +++ b/NEWS @@ -24,6 +24,9 @@ PHP NEWS . Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support). (Nikita) +- Phpdbg: + . Fixed bug #76813 (Access violation near NULL on source operand). (cmb) + - Standard: . Fixed bug #80366 (Return Value of zend_fstat() not Checked). (sagpant, cmb) . Fixed bug #80411 (References to null-serialized object break serialize()). diff --git a/sapi/phpdbg/phpdbg_lexer.l b/sapi/phpdbg/phpdbg_lexer.l index 422cda4f2c..e57702ba0b 100644 --- a/sapi/phpdbg/phpdbg_lexer.l +++ b/sapi/phpdbg/phpdbg_lexer.l @@ -33,7 +33,7 @@ void phpdbg_init_lexer (phpdbg_param_t *stack, char *input) { YYSETCONDITION(INITIAL); - LEX(text) = YYCURSOR = (unsigned char *) input; + LEX(text) = YYCURSOR = YYMARKER = (unsigned char *) input; LEX(len) = strlen(input); } @@ -165,6 +165,10 @@ INPUT ("\\"[#"']|["]("\\\\"|"\\"["]|[^\n\000"])+["]|[']("\\"[']|"\\\\"|[^\ return T_ID; } +* { + return T_UNEXPECTED; +} + {INPUT} { phpdbg_init_param(yylval, STR_PARAM); yylval->str = estrdup(yytext); diff --git a/sapi/phpdbg/phpdbg_parser.y b/sapi/phpdbg/phpdbg_parser.y index 3031ce5a80..4c4a339c0a 100644 --- a/sapi/phpdbg/phpdbg_parser.y +++ b/sapi/phpdbg/phpdbg_parser.y @@ -63,11 +63,15 @@ typedef void* yyscan_t; %% /* Rules */ input - : command { $$ = $1; } - | input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; } + : non_empty_input { $$ = $1; } | /* empty */ ; +non_empty_input + : command { $$ = $1; } + | non_empty_input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; } + ; + command : parameters { $$.top = PHPDBG_G(parser_stack)->top; } | full_expression { phpdbg_stack_push(PHPDBG_G(parser_stack), &$1); $$.top = PHPDBG_G(parser_stack)->top; } diff --git a/sapi/phpdbg/tests/bug76813.phpt b/sapi/phpdbg/tests/bug76813.phpt new file mode 100644 index 0000000000..61e5e3fea6 --- /dev/null +++ b/sapi/phpdbg/tests/bug76813.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #76813 (Access_violation_near_NULL_on_source_operand) +--PHPDBG-- +"#!==)===\377\377\276\242=" +#!==)===\377\377\276\242= +--EXPECT-- +prompt> [Parse Error: syntax error, unexpected input, expecting $end] +prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end] +prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end] +prompt> -- cgit v1.2.1