PHP :: Bug #64694 :: segfault when array used as mapping key

Bug #64694	segfault when array used as mapping key
Submitted:	2013-04-23 00:01 UTC	Modified:	2013-11-17 00:43 UTC
From:	me at fixxxer dot me	Assigned:	bd808 (profile)
Status:	Closed	Package:	yaml (PECL)
PHP Version:	5.4Git-2013-04-22 (snap)	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	me at fixxxer dot me
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-04-23 00:01 UTC] me at fixxxer dot me

Description:
------------
Pecl/yaml segfaults on malformed yaml with array keys (see the test script).

The patch attached fixes the problem.

The simple fix is to check for null pointer on the SCALAR_TAG_IS macros. But I see 
absolutely no sense in returning serialized data from convert_to_char() which is 
used only for keys. So I've just dropped the serialization block, and handle the 
null return.

Test script:
---------------
<?php

dl('yaml.so');

$yaml=<<<E
[a]:
    1
E;
yaml_parse($yaml);

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

0x00007ffff63812a5 in handle_mapping (state=0x7fffffffa7a0) at 
/home/build/pkgbuild/php54/php-5.4.13/php-build-stamp-cli/yaml/parse.c:432

432			if (IS_NOT_QUOTED_OR_TAG_IS(key_event, YAML_MERGE_TAG) &&

Patches

yaml.array-key.patch (last revision 2013-04-23 00:01 UTC by me at fixxxer dot me)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-11-16 22:13 UTC] bd808@php.net

-Summary: segfault on malformed yaml +Summary: segfault when array used as mapping key -Assigned To: +Assigned To: bd808

[2013-11-16 22:13 UTC] bd808@php.net

Interestingly this is not malformed YAML. According to the YAML 1.1 spec using an array as the key for a mapping value is perfectly legitimate [0].

Obviously causing PHP to segfault is a bug however.

[0]: http://yaml.org/spec/1.1/#id933629

[2013-11-17 00:43 UTC] bd808@php.net

-Status: Assigned +Status: Closed

[2013-11-17 00:43 UTC] bd808@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2013-11-19 05:47 UTC] bd808@php.net

Patch included in 1.1.1 release.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 20:00:01 2025 UTC