|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2016-11-18 14:37 UTC] krakjoe@php.net
-Type: Security
+Type: Bug
[2016-11-18 14:37 UTC] krakjoe@php.net
[2021-03-23 15:14 UTC] cmb@php.net
-Status: Open
+Status: Verified
-Package: SOAP related
+Package: XML related
-Assigned To:
+Assigned To: cmb
[2021-03-23 15:19 UTC] cmb@php.net
[2021-03-24 10:55 UTC] cmb@php.net
[2021-03-24 10:55 UTC] cmb@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Oct 30 03:00:01 2025 UTC |
Description: ------------ in function php_libxml_xmlCheckUTF8 int php_libxml_xmlCheckUTF8(const unsigned char *s) { int i; unsigned char c; for (i = 0; (c = s[i++]);) { if ((c & 0x80) == 0) { ,,,, } when input string (s) may have very big size leach to i become negative value and cause php7 crash. Test script: --------------- <?php ini_set('memory_limit', -1); class TestSoapClient extends SoapClient {} $client = new TestSoapClient(dirname(__FILE__).'/ahihi.wsdl'); $strA = 'ahihi'; $strB = str_repeat('a',0x80001000); $res = $client->Test(array('strA'=>$strA, 'strB'=>$strB)); ?> U can using any valid wsdl file to reproduce this bug. Expected result: ---------------- No crash Actual result: -------------- $ gdb ../../../php7new/php-src-PHP-7.0.13/sapi/cli/php .... (gdb) r test.php Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x000000000049117c in php_libxml_xmlCheckUTF8 (s=0x7ffeec000000 'a' <repeats 200 times>...) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/libxml/libxml.c:1143 1143 for (i = 0; (c = s[i++]);) { (gdb) bt #0 0x000000000049117c in php_libxml_xmlCheckUTF8 (s=0x7ffeec000000 'a' <repeats 200 times>...) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/libxml/libxml.c:1143 #1 0x000000000081ddb3 in to_xml_string (type=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:864 #2 0x000000000081c2ed in master_to_xml_int (encode=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0, check_class_map=1) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:501 #3 0x000000000081c36a in master_to_xml (encode=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:512 #4 0x000000000082249b in to_xml_object (type=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:1927 #5 0x000000000082728c in sdl_guess_convert_xml (enc=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:3285 #6 0x000000000081c2ed in master_to_xml_int (encode=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30, check_class_map=1) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:501 #7 0x000000000081c36a in master_to_xml (encode=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:512 #8 0x0000000000818bb7 in serialize_zval (val=0x7fffed663300, param=0x7fffed67a280, paramName=0x7fffed6632a0 "parameters", style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4467 #9 0x0000000000818a1a in serialize_parameter (param=0x7fffed67a280, param_val=0x7fffed663300, index=0, name=0x0, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4439 #10 0x0000000000818239 in serialize_function_call (this_ptr=0x7fffed6131d0, function=0x7fffed658c00, function_name=0x0, uri=0x0, arguments=0x7fffed663300, arg_count=1, version=1, soap_headers=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4302 #11 0x0000000000811bfe in do_soap_call (execute_data=0x7fffed6131b0, this_ptr=0x7fffed6131d0, function=0x7fffed67a2d8 "Test", function_len=4, arg_count=1, real_args=0x7fffed663300, return_value=0x7fffed613190, location=0x7fffed658ba0 "http://localhost:8080/~dmitry/bug38004/server.php", soap_action=0x0, call_uri=0x0, soap_headers=0x0, output_headers=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:2734 #12 0x0000000000812e55 in zim_SoapClient___call (execute_data=0x7fffed6131b0, return_value=0x7fffed613190) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:2954 #13 0x0000000000a6b519 in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:1788 #14 0x0000000000a67085 in execute_ex (ex=0x7fffed613030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414 #15 0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458 #16 0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427 #17 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494 #18 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974 #19 0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344 (gdb) print i $1 = -2147483647 (gdb)