oss-sec mailing list archives
Re: CVE Request: PHP
From: Joshua Rogers <oss () internot info>
Date: Sun, 25 Jan 2015 07:43:05 +1100
Hi, On 25/01/15 06:28, cve-assign () mitre org wrote:
MITRE doesn't have a full code analysis and isn't confident about whether the "explicit null dereference" exists or not. All we can offer is that the "wouldn't change g->setbits to a non-NULL value" seems somewhat implausible because it means that significant intended functionality of the code wouldn't have worked at all.
The code branch is where this: 157 if (cflags®_EXTENDED) is true. will lead to the null pointer deference so this gets executed: 158 p_ere(p, OUT); rather than the p_str(as stated): 159 else if (cflags®_NOSPEC) 160 p_str(p); ereg is deprecated as of 5.3.0 (http://php.net/manual/en/function.ereg.php), and there doesn't seem to be that much documentation on it, so it's hard to make a reproducer. However, 79 = #define REG_EXTENDED 0001 this gives a clue as to why it probably hasn't been caught before. "REG_EXTENDED", according to the regex(3) manual, is for "POSIX Extended Regular Expression syntax" which probably isn't that common. But, I do welcome an independent review. Thanks, -- -- Joshua Rogers <https://internot.info/>
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: PHP Joshua Rogers (Jan 08)
- Re: CVE Request: PHP Joshua Rogers (Jan 08)
- Re: CVE Request: PHP cve-assign (Jan 24)
- Re: CVE Request: PHP Joshua Rogers (Jan 24)
- Re: Re: CVE Request: PHP Joshua Rogers (Jan 24)
- Re: Re: CVE Request: PHP Joshua Rogers (Jan 24)
- Re: CVE Request: PHP Joshua Rogers (Jan 24)