Re: CVE Request: PHP

[Joshua Rogers <oss () internot info>]

Hi,
On 25/01/15 06:28, cve-assign () mitre org wrote:
> MITRE doesn't have a full code analysis and isn't confident about
> whether the "explicit null dereference" exists or not. All we can
> offer is that the "wouldn't change g->setbits to a non-NULL value"
> seems somewhat implausible because it means that significant intended
> functionality of the code wouldn't have worked at all.
The code branch is where this:
157        if (cflags&REG_EXTENDED)

is true. will lead to the null pointer deference

so this gets executed:
158                p_ere(p, OUT);


rather than the p_str(as stated):
159        else if (cflags&REG_NOSPEC)
160                p_str(p);


ereg is deprecated as of 5.3.0
(http://php.net/manual/en/function.ereg.php), and there doesn't seem to
be that much documentation on it, so it's hard to make a reproducer.


However,

79 = #define      REG_EXTENDED    0001

this gives a clue as to why it probably hasn't been caught before.

"REG_EXTENDED", according to the regex(3) manual, is for "POSIX Extended
Regular Expression syntax"

which probably isn't that common.


But, I do welcome an independent review.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

Attachment: signature.asc
Description: OpenPGP digital signature