PHP :: Sec Bug #54682 :: tidy NullPD

Sec Bug #54682	tidy NullPD
Submitted:	2011-05-07 01:13 UTC	Modified:	2012-02-07 20:49 UTC
From:	cxib at securityreason dot com	Assigned:	tony2001 (profile)
Status:	Closed	Package:	Tidy (PECL)
PHP Version:	5	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cxib at securityreason dot com
New email:
PHP Version:		OS:

New Comment:

[2011-05-07 01:13 UTC] cxib at securityreason dot com

Description:
------------
class tidy, may provide to null pointer dereference using tidy lib. 

1287 	static PHP_FUNCTION(tidy_diagnose)
1288 	{
1289 	TIDY_FETCH_OBJECT;
1290 	
1291 	if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
1292 	tidy_doc_update_properties(obj TSRMLS_CC);
1293 	RETURN_TRUE;
1294 	}
1295 	
1296 	RETURN_FALSE;
1297 	} 



Test script:
---------------
(gdb) r -r '$nx=new Tidy("*");$nx->diagnose();'
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /usr/bin/php -r '$nx=new Tidy("*");$nx->diagnose();'
[Thread debugging using libthread_db enabled]
PHP Warning:  tidy::__construct(): Cannot Load '*' into memory  in Command line code on line 1

Program received signal SIGSEGV, Segmentation fault.
0x00007fffedfaff87 in prvTidyReportMarkupVersion ()
   from /usr/lib/libtidy-0.99.so.0


Actual result:
--------------
cx@cx64:~$ php -r '$nx=new Tidy("*");$nx->diagnose();'
PHP Warning:  tidy::__construct(): Cannot Load '*' into memory  in Command line code on line 1
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-11-14 19:28 UTC] felipe@php.net

I already had report such bug. See bug #46055

Trying to fix it someway.

[2011-11-15 01:23 UTC] max at cxib dot net

hymm..

just changing 

if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {

to
	if (tidyStatus(obj->ptdoc->doc)!=0 && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {

? for 540rc1, fix works well

is tidyStatus() correct function here?

[2011-11-15 13:41 UTC] felipe@php.net

I guess it's ok to got with this approach.

743	int TIDY_CALL        tidyStatus( TidyDoc tdoc )
744	{
745	    TidyDocImpl* impl = tidyDocToImpl( tdoc );
746	    int tidyStat = -EINVAL;
747	    if ( impl )
748	        tidyStat = tidyDocStatus( impl );
749	    return tidyStat;
750	}


1117	int         tidyDocStatus( TidyDocImpl* doc )
1118	{
1119	    if ( doc->errors > 0 )
1120	        return 2;
1121	    if ( doc->warnings > 0 || doc->accessErrors > 0 )
1122	        return 1;
1123	    return 0;
1124	}

[2011-11-15 15:16 UTC] felipe@php.net

Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=319254
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)

[2011-11-15 15:23 UTC] felipe@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2011-11-15 15:23 UTC] felipe@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe

[2012-01-13 14:02 UTC] jose dot nobile at gmail dot com

Hi, I did compile PHP 5.3.8 in August 2011 with not problems. Today (2012-01-13) 
compiling PHP 5.3.9 (with exact ./configure --...)
I had the next error:
/usr/bin/ld: /usr/local/lib/libtidy.a(alloc.o): relocation R_X86_64_32 against 
`a local symbol' can not be used when making a shared object; recompile with -
fPIC
/usr/local/lib/libtidy.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [libphp5.la] Error 1

I don't know about programming PHP Extensions (but a I'm a good php programmer).
I believe than these change affect Tidy compiling, Can you check?

Linux cali.latinoaustralia.com 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 
2011 x86_64 x86_64 x86_64 GNU/Linux

'./configure' '--bindir=/usr/bin' '--build=x86_64-redhat-linux-gnu' '--cache-
file=../config.cache' '--datadir=/usr/share' '--disable-rpath' '--enable-bcmath' 
'--enable-calendar' '--enable-dba=shared' '--enable-dom' '--enable-exif' '--
enable-ftp' '--enable-gd-jis-conv' '--enable-gd-native-ttf' '--enable-intl' '--
enable-magic-quotes' '--enable-maintainer-zts' '--enable-mbregex' '--enable-
mbstring' '--enable-pcntl' '--enable-pdo' '--enable-shmop' '--enable-soap' '--
enable-soap=shared' '--enable-sockets' '--enable-sqlite-utf8' '--enable-static' 
'--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--enable-ucd-snmp-
hack' '--enable-wddx' '--enable-zip' '--exec-prefix=/usr' '--host=x86_64-redhat-
linux-gnu' '--includedir=/usr/include' '--infodir=/usr/share/info' '--
libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--
mandir=/usr/share/man' '--prefix=/usr' '--program-prefix=' '--sbindir=/usr/sbin' 
'--sharedstatedir=/usr/com' '--sysconfdir=/etc' '--target=x86_64-redhat-linux-
gnu' '--with-apxs2=/usr/sbin/apxs' '--with-bz2' '--with-config-file-path=/etc' 
'--with-config-file-scan-dir=/etc/php.d' '--with-curl' '--with-db4=/usr' '--
with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-gd' '--with-gettext' 
'--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-kerberos' '--with-
layout=GNU' '--with-ldap' '--with-ldap-sasl' '--with-libdir=lib64' '--with-
libmbfl' '--with-libxml-dir=/usr' '--with-mcrypt' '--with-mhash' '--with-mysql-
sock=/var/lib/mysql/mysql.sock' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' 
'--enable-mysqlnd' '--with-onig' '--with-openssl' '--with-pcre-regex=/usr' '--
with-pdo-mysql=mysqlnd' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-
pgsql' '--with-pdo-pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--with-
pgsql' '--with-pic' '--with-png-dir=/usr' '--with-pspell' '--with-recode' '--
with-snmp' '--with-unixODBC=shared,/usr' '--with-t1lib' '--with-tidy' '--with-
xmlrpc' '--with-xsl' '--with-xsl=shared,/usr' '--with-zlib' '--without-gdbm' '--
enable-zend-multibyte'

[2012-01-17 19:49 UTC] nlopess@php.net

Reopening since this patch made a regression.

e.g.
<?php
$t = new tidy('foo.html');
$t->cleanRepair();
var_dump($t->diagnose());
?>

printed bool(true) previously, but now prints bool(false).
(where foo.html is a file with no errors or warnings)

[2012-01-17 19:49 UTC] nlopess@php.net

-Status: Closed +Status: Re-Opened -Operating System: NetBSD +Operating System: * -PHP Version: 5.3.6 +PHP Version: 5

[2012-01-21 11:32 UTC] nlopess@php.net

Automatic comment from SVN on behalf of nlopess
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=322536
Log: revert r319254 (fix bug #54682) since it is not correct
add test that was broken with that patch.
this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though

[2012-01-21 11:35 UTC] nlopess@php.net

-Assigned To: felipe +Assigned To:

[2012-01-21 11:35 UTC] nlopess@php.net

patch reverted with a test: http://news.php.net/php.cvs/67502

[2012-01-21 11:35 UTC] nlopess@php.net

-Package: *General Issues +Package: Tidy

[2012-01-23 08:51 UTC] rasmus@php.net

Did someone report this upstream to libtidy?

[2012-01-23 09:22 UTC] nlopess@php.net

Automatic comment from SVN on behalf of nlopess
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=322614
Log: minor tweak to warning to fix the bug54682.phpt test

[2012-02-07 20:49 UTC] tony2001@php.net

Automatic comment from SVN on behalf of tony2001
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323118
Log: fix bug #54682 (tidy null pointer dereference)

[2012-02-07 20:49 UTC] tony2001@php.net

-Status: Re-Opened +Status: Closed -Assigned To: +Assigned To: tony2001

[2012-02-07 20:49 UTC] tony2001@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-04-18 09:46 UTC] laruence@php.net

Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d305d7a863a9c736a9c03cba1da9120ca497d049
Log: fix bug #54682 (tidy null pointer dereference)

[2012-04-18 09:46 UTC] laruence@php.net

Automatic comment on behalf of nlopess
Revision: http://git.php.net/?p=php-src.git;a=commit;h=023555c7c66421de26078d522acec20dcffadf49
Log: revert r319254 (fix bug #54682) since it is not correct add test that was broken with that patch. this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though

[2012-04-18 09:47 UTC] laruence@php.net

Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9a7a1fdabb5dd6aca6db15f879b9ec7c9b20075e
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)

[2012-07-24 23:37 UTC] rasmus@php.net

Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d305d7a863a9c736a9c03cba1da9120ca497d049
Log: fix bug #54682 (tidy null pointer dereference)

[2012-07-24 23:37 UTC] rasmus@php.net

Automatic comment on behalf of nlopess
Revision: http://git.php.net/?p=php-src.git;a=commit;h=023555c7c66421de26078d522acec20dcffadf49
Log: revert r319254 (fix bug #54682) since it is not correct add test that was broken with that patch. this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though

[2012-07-24 23:38 UTC] rasmus@php.net

Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9a7a1fdabb5dd6aca6db15f879b9ec7c9b20075e
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)

[2013-11-17 09:33 UTC] laruence@php.net

Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d305d7a863a9c736a9c03cba1da9120ca497d049
Log: fix bug #54682 (tidy null pointer dereference)

[2013-11-17 09:34 UTC] laruence@php.net

Automatic comment on behalf of nlopess
Revision: http://git.php.net/?p=php-src.git;a=commit;h=023555c7c66421de26078d522acec20dcffadf49
Log: revert r319254 (fix bug #54682) since it is not correct add test that was broken with that patch. this bug is probably in libtidy itself and not in PHP. I didn't investigate it enough to confirm, though

[2013-11-17 09:35 UTC] laruence@php.net

Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9a7a1fdabb5dd6aca6db15f879b9ec7c9b20075e
Log: - Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC