]> granicus.if.org Git - php/commitdiff
Fix #76813: Access violation near NULL on source operand
authorChristoph M. Becker <cmbecker69@gmx.de>
Sat, 28 Nov 2020 12:47:37 +0000 (13:47 +0100)
committerChristoph M. Becker <cmbecker69@gmx.de>
Mon, 30 Nov 2020 11:29:24 +0000 (12:29 +0100)
We avoid `YYCURSOR` becoming `NULL` by initializing `YYMARKER`, and add
a default rule for `<NORMAL>` where we catch unexpected input.

We also fix the only superficially related issue regarding empty input
followed by `T_SEPARATOR` and command, which caused another segfault.

Closes GH-6464.

NEWS
sapi/phpdbg/phpdbg_lexer.l
sapi/phpdbg/phpdbg_parser.y
sapi/phpdbg/tests/bug76813.phpt [new file with mode: 0644]

diff --git a/NEWS b/NEWS
index 7ede11b09cb8e37d0d977fba21b198f3610d203e..6943db07f6a845725c35a7a72321b7db1a768307 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,9 @@ PHP                                                                        NEWS
   . Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to
     lack of OCB support). (Nikita)
 
+- Phpdbg:
+  . Fixed bug #76813 (Access violation near NULL on source operand). (cmb)
+
 - Standard:
   . Fixed bug #80366 (Return Value of zend_fstat() not Checked). (sagpant, cmb)
   . Fixed bug #80411 (References to null-serialized object break serialize()).
index 422cda4f2c076aaa18444a16f38a30f8fc778354..e57702ba0b16732ab5596b2b69f25645439708ae 100644 (file)
@@ -33,7 +33,7 @@ void phpdbg_init_lexer (phpdbg_param_t *stack, char *input) {
 
        YYSETCONDITION(INITIAL);
 
-       LEX(text) = YYCURSOR = (unsigned char *) input;
+       LEX(text) = YYCURSOR = YYMARKER = (unsigned char *) input;
        LEX(len) = strlen(input);
 }
 
@@ -165,6 +165,10 @@ INPUT       ("\\"[#"']|["]("\\\\"|"\\"["]|[^\n\000"])+["]|[']("\\"[']|"\\\\"|[^\
        return T_ID;
 }
 
+<NORMAL>* {
+       return T_UNEXPECTED;
+}
+
 <RAW>{INPUT} {
        phpdbg_init_param(yylval, STR_PARAM);
        yylval->str = estrdup(yytext);
index 3031ce5a807744f24367df6379b0b45cbf7b7c85..4c4a339c0ab989fb545b6bb71e3be97894240a13 100644 (file)
@@ -63,11 +63,15 @@ typedef void* yyscan_t;
 %% /* Rules */
 
 input
-       : command { $$ = $1; }
-       | input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; }
+       : non_empty_input { $$ = $1; }
        | /* empty */
        ;
 
+non_empty_input
+       : command { $$ = $1; }
+       | non_empty_input T_SEPARATOR command { phpdbg_stack_separate($1.top); $$ = $3; }
+       ;
+
 command
        : parameters { $$.top = PHPDBG_G(parser_stack)->top; }
        | full_expression { phpdbg_stack_push(PHPDBG_G(parser_stack), &$1); $$.top = PHPDBG_G(parser_stack)->top; }
diff --git a/sapi/phpdbg/tests/bug76813.phpt b/sapi/phpdbg/tests/bug76813.phpt
new file mode 100644 (file)
index 0000000..61e5e3f
--- /dev/null
@@ -0,0 +1,10 @@
+--TEST--
+Bug #76813 (Access_violation_near_NULL_on_source_operand)
+--PHPDBG--
+"#!==)===\377\377\276\242="
+#!==)===\377\377\276\242=
+--EXPECT--
+prompt> [Parse Error: syntax error, unexpected input, expecting $end]
+prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end]
+prompt> [Parse Error: syntax error, unexpected # (pound sign), expecting $end]
+prompt>