|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesfix-72714.patch (last revision 2016-08-16 18:45 UTC by cmb@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-04 05:39 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-08-16 18:45 UTC] cmb@php.net
[2016-08-16 18:45 UTC] cmb@php.net
-Status: Open
+Status: Analyzed
-Type: Bug
+Type: Security
-Private report: No
+Private report: Yes
[2016-08-16 18:45 UTC] cmb@php.net
[2016-08-16 19:30 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-08-17 11:49 UTC] dyjakan at gmail dot com
[2016-08-19 23:23 UTC] cmb@php.net
-Package: *XML functions
+Package: XML related
-Assigned To:
+Assigned To: cmb
[2016-08-19 23:23 UTC] cmb@php.net
[2016-08-20 00:33 UTC] cmb@php.net
[2016-08-20 00:33 UTC] cmb@php.net
-Status: Analyzed
+Status: Closed
[2016-08-20 11:06 UTC] cmb@php.net
[2016-10-17 10:09 UTC] bwoebi@php.net
[2016-10-17 10:09 UTC] bwoebi@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Description: ------------ Run test script with PHP/ASan. I tested this on both 7.0.9 and current php-src from github. Marking it as security since it's in xml parsing which can come from the user, better safe than sorry. Test script: --------------- <?php $XML = <<<XML <ns1:total>867</ns1:total> XML; $xml_parser = xml_parser_create(); xml_set_element_handler($xml_parser, 'startElement', 'endElement'); xml_parser_set_option($xml_parser, XML_OPTION_SKIP_TAGSTART, 3015809298423721); xml_parse($xml_parser, $XML); Expected result: ---------------- No crash. Actual result: -------------- ==14458== ERROR: AddressSanitizer: SEGV on unknown address 0x7f933eb77231 (pc 0x7f936d8da9da sp 0x7ffc29e892d8 bp 0x7ffc29e89310 T0) AddressSanitizer can not provide additional info. #0 0x7f936d8da9d9 (/lib/x86_64-linux-gnu/libc-2.19.so+0x889d9) #1 0x7f936e6b2276 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xf276) #2 0xb3d654 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb3d654) #3 0xb3ff26 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb3ff26) #4 0x7f936dc58c24 (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x41c24) #5 0x7f936dc66152 (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x4f152) #6 0x7f936dc6713d (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x5013d) #7 0xb40b63 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb40b63) #8 0xb36a90 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb36a90) #9 0xdb006b (/home/vagrant/builds/7.0.9-asan/bin/php+0xdb006b) #10 0xd6a26a (/home/vagrant/builds/7.0.9-asan/bin/php+0xd6a26a) #11 0xebe209 (/home/vagrant/builds/7.0.9-asan/bin/php+0xebe209) #12 0xc88e2f (/home/vagrant/builds/7.0.9-asan/bin/php+0xc88e2f) #13 0xb52e6f (/home/vagrant/builds/7.0.9-asan/bin/php+0xb52e6f) #14 0xec24b6 (/home/vagrant/builds/7.0.9-asan/bin/php+0xec24b6) #15 0x450d30 (/home/vagrant/builds/7.0.9-asan/bin/php+0x450d30) #16 0x7f936d873f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44) #17 0x4512d6 (/home/vagrant/builds/7.0.9-asan/bin/php+0x4512d6) ==14458== ABORTING gdb$ bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00007ffff4e5a277 in strlen () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #2 0x0000000000b3d655 in _xml_startElementHandler (userData=0x7ffff34771c0, name=<optimized out>, attributes=0x601e0000d600) at /home/vagrant/source/php-7.0.9/ext/xml/xml.c:731 #3 0x0000000000b3ff27 in _start_element_handler (user=0x7ffff3402580, name=<optimized out>, attributes=0x601e0000d600) at /home/vagrant/source/php-7.0.9/ext/xml/compat.c:84 #4 0x00007ffff4400c25 in xmlParseStartTag () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #5 0x00007ffff440e153 in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #6 0x00007ffff440f13e in xmlParseChunk () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #7 0x0000000000b40b64 in php_XML_Parse (parser=0x7ffff3402580, data=<optimized out>, data_len=<optimized out>, is_final=<optimized out>) at /home/vagrant/source/php-7.0.9/ext/xml/compat.c:596 #8 0x0000000000b36a91 in zif_xml_parse (execute_data=<optimized out>, return_value=0x7ffff3413190) at /home/vagrant/source/php-7.0.9/ext/xml/xml.c:1406 #9 0x0000000000db006c in ZEND_DO_ICALL_SPEC_HANDLER () at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:586 #10 0x0000000000d6a26b in execute_ex (ex=<optimized out>) at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:414 #11 0x0000000000ebe20a in zend_execute (op_array=op_array@entry=0x7ffff3480000, return_value=return_value@entry=0x0) at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:458 #12 0x0000000000c88e30 in zend_execute_scripts (type=type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/vagrant/source/php-7.0.9/Zend/zend.c:1427 #13 0x0000000000b52e70 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcfa0) at /home/vagrant/source/php-7.0.9/main/main.c:2494 #14 0x0000000000ec24b7 in do_cli (argc=0x2, argv=0x60060000edd0) at /home/vagrant/source/php-7.0.9/sapi/cli/php_cli.c:974 #15 0x0000000000450d31 in main (argc=0x2, argv=0x60060000edd0) at /home/vagrant/source/php-7.0.9/sapi/cli/php_cli.c:1344