PHP :: Bug #80324 :: yaml_parse

Bug #80324	yaml_parse_url assertion
Submitted:	2020-11-05 19:58 UTC	Modified:	2020-12-20 18:17 UTC
From:	kak dot serpom dot po dot yaitsam at gmail dot com	Assigned:	bd808 (profile)
Status:	Closed	Package:	yaml (PECL)
PHP Version:	7.0.8	OS:	Windows/64-bit
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	kak dot serpom dot po dot yaitsam at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2020-11-05 19:58 UTC] kak dot serpom dot po dot yaitsam at gmail dot com

Description:
------------
It crashes only with xdebug enabled on PHP 7.3.24-3+ubuntu18.04.1+deb.sury.org+1 

If I replace anonymous functions with regular functions or methods (like [$this, 'callbackEnv']) then php_yaml_check_callbacks (https://github.com/php/pecl-file_formats-yaml/blob/2.1.0/yaml.c#L305) doesn't crash.

Test script:
---------------
$data = \yaml_parse_file(
    $file,
    0,
    $ndocs,
    [
        '!env'  => function ($str) {
        },
        '!path' => function ($str) {
        },
    ]
);

Expected result:
----------------
No segfault :)

Actual result:
--------------
Program terminated with signal SIGSEGV, Segmentation fault.
#0  php_yaml_check_callbacks (callbacks=<optimized out>, callbacks=<optimized out>) at /tmp/pear/temp/yaml/yaml.c:305
305	/tmp/pear/temp/yaml/yaml.c: No such file or directory.
(gdb) bt
#0  php_yaml_check_callbacks (callbacks=<optimized out>, callbacks=<optimized out>) at /tmp/pear/temp/yaml/yaml.c:305
#1  0x00007f9fa33dd0b4 in zif_yaml_parse_file (execute_data=<optimized out>, return_value=0x7f9fb5a1eac0) at /tmp/pear/temp/yaml/yaml.c:415
#2  0x00007f9fb5266485 in xdebug_execute_internal (current_execute_data=0x7f9fb5a1eb90, return_value=0x7f9fb5a1eac0) at ./build-7.3/src/base/base.c:466
#3  0x0000563d30ea40df in ?? ()
#4  0x0000563d310dceb6 in execute_ex ()
#5  0x00007f9fb5265afc in xdebug_execute_ex (execute_data=0x7f9fb5a1e840) at ./build-7.3/src/base/base.c:380
#6  0x0000563d30ea3d29 in ?? ()
#7  0x0000563d310dceb6 in execute_ex ()

Patches

Pull Requests

Pull requests:

Fix #80324: Segfault in YAML with anonymous functions (pecl-file_formats-yaml/56)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-11-05 21:19 UTC] girgias@php.net

-Summary: Segfault +Summary: Segfault in YAML with anonymous functions while using XDebug -Package: yami +Package: yaml

[2020-12-15 13:40 UTC] cmb@php.net

It seems to me that sizeof(YAML_TIMESTAMP_TAG) is 29[1], so the
memcmp() would cause an OOB read.  Using strcmp() instead should
solve the issue, but would not cater to embedded NUL bytes in the
key.  The proper solution would likely be

    if (zend_string_equals_literal(key, YAML_TIMESTAMP_TAG)) {

However, zend_string_equals_literal() is only available as of PHP
7.0.0.

[1] <https://github.com/yaml/libyaml/blob/acd6f6f014c25e46363e718381e0b35205df2d83/include/yaml.h#L677>

[2020-12-15 13:40 UTC] cmb@php.net

-Summary: Segfault in YAML with anonymous functions while using XDebug +Summary: Segfault in YAML with anonymous functions

[2020-12-15 13:40 UTC] cmb@php.net

Doesn't seem to be related to Xdebug.

[2020-12-16 16:03 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #80324: Segfault in YAML with anonymous functions
On GitHub:  https://github.com/php/pecl-file_formats-yaml/pull/56
Patch:      https://github.com/php/pecl-file_formats-yaml/pull/56.patch

[2020-12-20 18:07 UTC] bd808@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=pecl/file_formats/yaml.git;a=commit;h=d991df2ed5f26024ab7c880fa78313fc1b3703fe
Log: Fix #80324: Segfault in YAML with anonymous functions

[2020-12-20 18:07 UTC] bd808@php.net

-Status: Open +Status: Closed

[2020-12-20 18:17 UTC] bd808@php.net

-Summary: Segfault in YAML with anonymous functions +Summary: yaml_parse_url assertion -Operating System: Ubuntu +Operating System: Windows/64-bit -PHP Version: 7.3.24 +PHP Version: 7.0.8 -Assigned To: +Assigned To: bd808

[2020-12-20 18:17 UTC] bd808@php.net

Fixed in 2.2.1 release. Thank you for the bug report kak, and thank you for the fix cmb!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 14:00:01 2025 UTC