|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-08-10 04:29 UTC] fernando at null-life dot com
Description: ------------ If we add an element to boolean leaf of XML struct, a null pointer dereference will happen when the element is popped. Source code: https://github.com/php/php-src/blob/PHP-5.6.24/ext/wddx/wddx.c#L985 static void php_wddx_pop_element(void *user_data, const XML_Char *name) { ... if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) { target_hash = HASH_OF(ent2->data); ... GDB output ---------- $ gdb -q --args /home/operac/build2/bin/php -n wdx13bis.php ... Stopped reason: SIGSEGV 0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997 997 if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) { gdb-peda$ bt #0 0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997 #1 0x00000000015eca92 in _end_element_handler (user=0x7ffff7f30650, name=<optimized out>) at /home/operac/build2/php-src-56/ext/xml/compat.c:228 ... gdb-peda$ p *ent2 $2 = { data = 0x0, type = ST_BOOLEAN, varname = 0x0 } Test script: --------------- <?php $xml = <<<XML <?xml version='1.0'?> <!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> <wddxPacket version="1.0"> <var name="XXXX"> <boolean value="1"> <dateTime>1998-06-12T04:32:12+00</dateTime> </boolean> </var> </wddxPacket> XML; $array = wddx_deserialize($xml); Expected result: ---------------- No crash Actual result: -------------- operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -v PHP 5.6.26-dev (cli) (built: Aug 7 2016 02:21:28) (DEBUG) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -n wdx2.php ASAN:SIGSEGV ================================================================= ==18201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000015a8f84 bp 0x7ffc7e2c8dc0 sp 0x7ffc7e2c8c80 T0) #0 0x15a8f83 in php_wddx_pop_element /home/operac/build2/php-src-56/ext/wddx/wddx.c:997 #1 0x15eca91 in _end_element_handler /home/operac/build2/php-src-56/ext/xml/compat.c:228 #2 0x7f3964cac13c (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4a13c) #3 0x7f3964cb83bc (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x563bc) #4 0x7f3964cb962a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5762a) #5 0x15efa8a in php_XML_Parse /home/operac/build2/php-src-56/ext/xml/compat.c:605 #6 0x15c6f82 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1175 #7 0x15c8037 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1387 #8 0x1d5bdc3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558 #9 0x1c0506c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363 #10 0x194cdb2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341 #11 0x169ad0f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613 #12 0x1d64d96 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994 #13 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378 #14 0x7f3963f4b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8) PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Patch works OK. Thanks. operac@hp2:~/testafl$ /home/operac/build2/bin/php -n 72799.php NULL operac@hp2:~/testafl$ cat 72799.php <?php $xml = <<<XML <?xml version='1.0'?> <!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> <wddxPacket version="1.0"> <var name="XXXX"> <boolean value="1"> <dateTime>1998-06-12T04:32:12+00</dateTime> </boolean> </var> </wddxPacket> XML; $array = wddx_deserialize($xml); var_dump($array);