php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54682 tidy NullPD
Submitted: 2011-05-07 01:13 UTC Modified: 2012-02-07 20:49 UTC
From: cxib at securityreason dot com Assigned: tony2001 (profile)
Status: Closed Package: Tidy (PECL)
PHP Version: 5 OS: *
Private report: No CVE-ID: None
 [2011-05-07 01:13 UTC] cxib at securityreason dot com
Description:
------------
class tidy, may provide to null pointer dereference using tidy lib. 

1287 	static PHP_FUNCTION(tidy_diagnose)
1288 	{
1289 	TIDY_FETCH_OBJECT;
1290 	
1291 	if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
1292 	tidy_doc_update_properties(obj TSRMLS_CC);
1293 	RETURN_TRUE;
1294 	}
1295 	
1296 	RETURN_FALSE;
1297 	} 



Test script:
---------------
(gdb) r -r '$nx=new Tidy("*");$nx->diagnose();'
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /usr/bin/php -r '$nx=new Tidy("*");$nx->diagnose();'
[Thread debugging using libthread_db enabled]
PHP Warning:  tidy::__construct(): Cannot Load '*' into memory  in Command line code on line 1

Program received signal SIGSEGV, Segmentation fault.
0x00007fffedfaff87 in prvTidyReportMarkupVersion ()
   from /usr/lib/libtidy-0.99.so.0


Actual result:
--------------
cx@cx64:~$ php -r '$nx=new Tidy("*");$nx->diagnose();'
PHP Warning:  tidy::__construct(): Cannot Load '*' into memory  in Command line code on line 1
Segmentation fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-14 19:28 UTC] felipe@php.net
I already had report such bug. See bug #46055

Trying to fix it someway.
 [2011-11-15 01:23 UTC] max at cxib dot net
hymm..

just changing 

if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {

to
	if (tidyStatus(obj->ptdoc->doc)!=0 && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {

? for 540rc1, fix works well

is tidyStatus() correct function here?
 [2011-11-15 13:41 UTC] felipe@php.net
I guess it's ok to got with this approach.

743	int TIDY_CALL        tidyStatus( TidyDoc tdoc )
744	{
745	    TidyDocImpl* impl = tidyDocToImpl( tdoc );
746	    int tidyStat = -EINVAL;
747	    if ( impl )
748	        tidyStat = tidyDocStatus( impl );
749	    return tidyStat;
750	}


1117	int         tidyDocStatus( TidyDocImpl* doc )
1118	{
1119	    if ( doc->errors > 0 )
1120	        return 2;
1121	    if ( doc->warnings > 0 || doc->accessErrors > 0 )
1122	        return 1;
1123	    return 0;
1124	}
 [2011-11-15 15:16 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=319254
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)
 [2011-11-15 15:23 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-11-15 15:23 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2012-01-13 14:02 UTC] jose dot nobile at gmail dot com
Hi, I did compile PHP 5.3.8 in August 2011 with not problems. Today (2012-01-13) 
compiling PHP 5.3.9 (with exact ./configure --...)
I had the next error:
/usr/bin/ld: /usr/local/lib/libtidy.a(alloc.o): relocation R_X86_64_32 against 
`a local symbol' can not be used when making a shared object; recompile with -
fPIC
/usr/local/lib/libtidy.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [libphp5.la] Error 1

I don't know about programming PHP Extensions (but a I'm a good php programmer).
I believe than these change affect Tidy compiling, Can you check?

Linux cali.latinoaustralia.com 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 
2011 x86_64 x86_64 x86_64 GNU/Linux

'./configure' '--bindir=/usr/bin' '--build=x86_64-redhat-linux-gnu' '--cache-
file=../config.cache' '--datadir=/usr/share' '--disable-rpath' '--enable-bcmath' 
'--enable-calendar' '--enable-dba=shared' '--enable-dom' '--enable-exif' '--
enable-ftp' '--enable-gd-jis-conv' '--enable-gd-native-ttf' '--enable-intl' '--
enable-magic-quotes' '--enable-maintainer-zts' '--enable-mbregex' '--enable-
mbstring' '--enable-pcntl' '--enable-pdo' '--enable-shmop' '--enable-soap' '--
enable-soap=shared' '--enable-sockets' '--enable-sqlite-utf8' '--enable-static' 
'--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--enable-ucd-snmp-
hack' '--enable-wddx' '--enable-zip' '--exec-prefix=/usr' '--host=x86_64-redhat-
linux-gnu' '--includedir=/usr/include' '--infodir=/usr/share/info' '--
libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--
mandir=/usr/share/man' '--prefix=/usr' '--program-prefix=' '--sbindir=/usr/sbin' 
'--sharedstatedir=/usr/com' '--sysconfdir=/etc' '--target=x86_64-redhat-linux-
gnu' '--with-apxs2=/usr/sbin/apxs' '--with-bz2' '--with-config-file-path=/etc' 
'--with-config-file-scan-dir=/etc/php.d' '--with-curl' '--with-db4=/usr' '--
with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-gd' '--with-gettext' 
'--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-kerberos' '--with-
layout=GNU' '--with-ldap' '--with-ldap-sasl' '--with-libdir=lib64' '--with-
libmbfl' '--with-libxml-dir=/usr' '--with-mcrypt' '--with-mhash' '--with-mysql-
sock=/var/lib/mysql/mysql.sock' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' 
'--enable-mysqlnd' '--with-onig' '--with-openssl' '--with-pcre-regex=/usr' '--
with-pdo-mysql=mysqlnd' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-
pgsql' '--with-pdo-pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--with-
pgsql' '--with-pic' '--with-png-dir=/usr' '--with-pspell' '--with-recode' '--
with-snmp' '--with-unixODBC=shared,/usr' '--with-t1lib' '--with-tidy' '--with-
xmlrpc' '--with-xsl' '--with-xsl=shared,/usr' '--with-zlib' '--without-gdbm' '--
enable-zend-multibyte'
 [2012-01-17 19:49 UTC] nlopess@php.net
Reopening since this patch made a regression.

e.g.
<?php
$t = new tidy('foo.html');
$t->cleanRepair();
var_dump($t->diagnose());
?>

printed bool(true) previously, but now prints bool(false).
(where foo.html is a file with no errors or warnings)
 [2012-01-17 19:49 UTC] nlopess@php.net
-Status: Closed +Status: Re-Opened -Operating System: NetBSD +Operating System: * -PHP Version: 5.3.6 +PHP Version: 5
 [2012-01-21 11:32 UTC] nlopess@php.net
Automatic comment from SVN on behalf of nlopess
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=322536
Log: revert r319254 (fix bug #54682) since it is not correct
add test that was broken with that patch.
this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though
 [2012-01-21 11:35 UTC] nlopess@php.net
-Assigned To: felipe +Assigned To:
 [2012-01-21 11:35 UTC] nlopess@php.net
patch reverted with a test: http://news.php.net/php.cvs/67502
 [2012-01-21 11:35 UTC] nlopess@php.net
-Package: *General Issues +Package: Tidy
 [2012-01-23 08:51 UTC] rasmus@php.net
Did someone report this upstream to libtidy?
 [2012-01-23 09:22 UTC] nlopess@php.net
Automatic comment from SVN on behalf of nlopess
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=322614
Log: minor tweak to warning to fix the bug54682.phpt test
 [2012-02-07 20:49 UTC] tony2001@php.net
Automatic comment from SVN on behalf of tony2001
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323118
Log: fix bug #54682 (tidy null pointer dereference)
 [2012-02-07 20:49 UTC] tony2001@php.net
-Status: Re-Opened +Status: Closed -Assigned To: +Assigned To: tony2001
 [2012-02-07 20:49 UTC] tony2001@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d305d7a863a9c736a9c03cba1da9120ca497d049
Log: fix bug #54682 (tidy null pointer dereference)
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of nlopess
Revision: http://git.php.net/?p=php-src.git;a=commit;h=023555c7c66421de26078d522acec20dcffadf49
Log: revert r319254 (fix bug #54682) since it is not correct add test that was broken with that patch. this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though
 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9a7a1fdabb5dd6aca6db15f879b9ec7c9b20075e
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d305d7a863a9c736a9c03cba1da9120ca497d049
Log: fix bug #54682 (tidy null pointer dereference)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of nlopess
Revision: http://git.php.net/?p=php-src.git;a=commit;h=023555c7c66421de26078d522acec20dcffadf49
Log: revert r319254 (fix bug #54682) since it is not correct add test that was broken with that patch. this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9a7a1fdabb5dd6aca6db15f879b9ec7c9b20075e
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d305d7a863a9c736a9c03cba1da9120ca497d049
Log: fix bug #54682 (tidy null pointer dereference)
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of nlopess
Revision: http://git.php.net/?p=php-src.git;a=commit;h=023555c7c66421de26078d522acec20dcffadf49
Log: revert r319254 (fix bug #54682) since it is not correct add test that was broken with that patch. this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9a7a1fdabb5dd6aca6db15f879b9ec7c9b20075e
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC