Skip to content

NULL deref in spl_directory.c #17225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue Dec 20, 2024 · 2 comments
Closed

NULL deref in spl_directory.c #17225

YuanchengJiang opened this issue Dec 20, 2024 · 2 comments
Assignees
@nielsdos
Labels
Bug Extension: spl Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$fname = __DIR__ . '/gh14687.phar.zip';
$phar = new Phar($fname);
class HasDestructor {
public function __destruct() {
var_dump($GLOBALS['s']);
}
}
$s = new SplObjectStorage();
$s[$phar] = new HasDestructor();
register_shutdown_function(function() {
global $s;
});
$fusion = $phar;
if ($fusion->isLink()) {
}

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/spl/spl_directory.c:209:36: runtime error: member access within null pointer of type 'php_stream' (aka 'struct _php_stream')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/spl/spl_directory.c:209:36

To reproduce:

-d "phar.readonly=0"

PHP Version

nightly

Operating System

No response
@nielsdos
Copy link
Member

I have a strong déjà vu with this one. Might try to analyze this tomorrow if someone else doesn't beat me to it.

@nielsdos nielsdos self-assigned this Dec 21, 2024
@nielsdos
Copy link
Member

This is extremely similar to GH-14687, fix may've been incomplete.

@nielsdos nielsdos changed the title SEGV ext/spl/spl_directory.c:209 NULL deref in spl_directory.c Dec 21, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Dec 21, 2024
@nielsdos
Fix phpGH-17225: NULL deref in spl_directory.c
2474759 
NULL checks for the glob stream are inconsistently applied. To solve
this generally, factor it out to a helper function so it's less likely
to be forgotten in the future.
@nielsdos nielsdos linked a pull request Dec 21, 2024 that will close this issue
Fix GH-17225: NULL deref in spl_directory.c #17231
Closed
nielsdos added a commit that referenced this issue Dec 21, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
a026480 
* PHP-8.3:
  Fix GH-17225: NULL deref in spl_directory.c
nielsdos added a commit that referenced this issue Dec 21, 2024
@nielsdos
Merge branch 'PHP-8.4'
8d39261 
* PHP-8.4:
  Fix GH-17225: NULL deref in spl_directory.c
charmitro pushed a commit to wasix-org/php that referenced this issue Mar 13, 2025
@nielsdos @charmitro
Fix phpGH-17225: NULL deref in spl_directory.c
8e20a67 
NULL checks for the glob stream are inconsistently applied. To solve
this generally, factor it out to a helper function so it's less likely
to be forgotten in the future.

Closes phpGH-17231.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: spl Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17225: NULL deref in spl_directory.c nielsdos/php-src
3 participants
@devnexen @nielsdos @YuanchengJiang