php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64694 segfault when array used as mapping key
Submitted: 2013-04-23 00:01 UTC Modified: 2013-11-17 00:43 UTC
From: me at fixxxer dot me Assigned: bd808 (profile)
Status: Closed Package: yaml (PECL)
PHP Version: 5.4Git-2013-04-22 (snap) OS: any
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: me at fixxxer dot me
New email:
PHP Version: OS:

 

 [2013-04-23 00:01 UTC] me at fixxxer dot me
Description:
------------
Pecl/yaml segfaults on malformed yaml with array keys (see the test script).

The patch attached fixes the problem.

The simple fix is to check for null pointer on the SCALAR_TAG_IS macros. But I see 
absolutely no sense in returning serialized data from convert_to_char() which is 
used only for keys. So I've just dropped the serialization block, and handle the 
null return.

Test script:
---------------
<?php

dl('yaml.so');

$yaml=<<<E
[a]:
    1
E;
yaml_parse($yaml);

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

0x00007ffff63812a5 in handle_mapping (state=0x7fffffffa7a0) at 
/home/build/pkgbuild/php54/php-5.4.13/php-build-stamp-cli/yaml/parse.c:432

432			if (IS_NOT_QUOTED_OR_TAG_IS(key_event, YAML_MERGE_TAG) && 

Patches

yaml.array-key.patch (last revision 2013-04-23 00:01 UTC by me at fixxxer dot me)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-16 22:13 UTC] bd808@php.net
-Summary: segfault on malformed yaml +Summary: segfault when array used as mapping key -Assigned To: +Assigned To: bd808
 [2013-11-16 22:13 UTC] bd808@php.net
Interestingly this is not malformed YAML. According to the YAML 1.1 spec using an array as the key for a mapping value is perfectly legitimate [0].

Obviously causing PHP to segfault is a bug however.

[0]: http://yaml.org/spec/1.1/#id933629
 [2013-11-17 00:43 UTC] bd808@php.net
-Status: Assigned +Status: Closed
 [2013-11-17 00:43 UTC] bd808@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-11-19 05:47 UTC] bd808@php.net
Patch included in 1.1.1 release.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 09:01:30 2024 UTC