PHP 5.6.4 ereg() null pointer deference

2015.01.09
Credit: internot
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi, An explicit null deference happens in /ext/ereg/regex/regcomp.c: 140 g->setbits = NULL; then this is called: 167 categorize(p, g); which does this: 1326 if (cats[c] == 0 && isinsets(g, c)) { And then the isinsets function does this: 1279 for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize) 1280 if (col[uc] != 0) 1281 return(1); which will cause a crash. Thanks,

References:

https://bugs.php.net/bug.php?id=68740&edit=2
http://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top