Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:80623
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain internot.info designates 185.57.82.47 as permitted sender)
To: internals@lists.php.net
Cc: Joshua Rogers <git@internot.info>
Date: Fri, 16 Jan 2015 19:14:20 +1100
Message-ID: <1421396060-13451-1-git-send-email-git@internot.info>
Subject: [PATCH] Fix null pointer dereference(s) --
From: git@internot.info (Joshua Rogers)

Multiple places 'spprintf' is called with a NULL 'pbuf', which
passes itself to vspprintf, which dereferences it.

Although most places check whether 'pbuf'(normally called 'error')
is null, it is smarter to check it inside the function that
requires a non-null value.

This will avoid future problems, too.

See bug #68839 [https://bugs.php.net/bug.php?id=68839] for an example of NULL being passed to spprintf.
There are multiple other places checks are not used to confirm error/pbuf is not null.
---
 main/spprintf.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/main/spprintf.c b/main/spprintf.c
index cd14882..faa97d1 100644
--- a/main/spprintf.c
+++ b/main/spprintf.c
@@ -848,11 +848,16 @@ PHPAPI size_t vspprintf(char **pbuf, size_t max_len, const char *format, va_list
 
 	smart_string_0(&buf);
 
+	//Test 'pbuf'(also known as 'error') against NULL, since it is called multiple places without checking against, causing null pointer dereferences.
 	if (buf.c) {
-		*pbuf = buf.c;
+		if(pbuf) {
+			*pbuf = buf.c;
+		}
 		result = buf.len;
 	} else {
-		*pbuf = NULL;
+		if(pbuf) {
+			*pbuf = NULL;
+		}
 		result = 0;
 	}
 
-- 
1.9.1