php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61770 Crash on nonunicode character
Submitted: 2012-04-18 23:31 UTC Modified: 2013-11-19 03:04 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: phpbug at kartio dot org Assigned: bd808 (profile)
Status: Closed Package: yaml (PECL)
PHP Version: 5.3.10 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpbug at kartio dot org
New email:
PHP Version: OS:

 

 [2012-04-18 23:31 UTC] phpbug at kartio dot org
Description:
------------
Will crash on some character sequences that are not valid unicode. Trying to print same character with valid utf-8 sequence doesn't crash.

Test script:
---------------
yaml_emit("\xc2");

Actual result:
--------------
PHP Warning:  yaml_emit(): Memory error: Not enough memory for creating an event (libyaml) in php shell code on line 1

*** glibc detected *** /usr/bin/php: double free or corruption (fasttop): 0x09537278 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6(+0x6b381)[0xb6f4a381]
/lib/i686/cmov/libc.so.6(+0x6cbd8)[0xb6f4bbd8]
/lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb6f4ecbd]
/usr/lib/libyaml-0.so.2(yaml_free+0x21)[0xb6316631]
/usr/lib/libyaml-0.so.2(yaml_event_delete+0x9e)[0xb631687e]
/usr/lib/php5/20090626+lfs/yaml.so(+0x5c05)[0xb6336c05]
/usr/lib/php5/20090626+lfs/yaml.so(+0x62f8)[0xb63372f8]
/usr/lib/php5/20090626+lfs/yaml.so(+0x664b)[0xb633764b]
/usr/lib/php5/20090626+lfs/yaml.so(php_yaml_write_impl+0x12e)[0xb6337b8e]
/usr/lib/php5/20090626+lfs/yaml.so(+0x26e4)[0xb63336e4]
/usr/bin/php(execute_internal+0x4b)[0x8364f5b]
...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-04-30 03:57 UTC] bd808@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: bd808
 [2012-04-30 05:48 UTC] bd808@php.net
Looks like this is an issue interacting with the underlying libyaml library. There is a note in the writer.c source file that says "Note that we assume that the buffer contains a valid UTF-8 sequence." Currently the extension makes no attempt to validate/cleanse the php input string prior to passing it to libyaml.

This could be handled in a couple of ways:
- document the need to ensure valid UTF-8 input
- depend on iconv and ensure valid encoding inside the yaml extension
 [2012-05-03 16:15 UTC] alpacagm at gmail dot com
Corresponding ticket in libyaml bugtracker
http://pyyaml.org/ticket/138 looks dead.
 [2013-04-19 04:22 UTC] bd808@php.net
-Status: Verified +Status: Wont fix
 [2013-11-19 02:17 UTC] bd808@php.net
-Status: Wont fix +Status: Re-Opened
 [2013-11-19 02:17 UTC] bd808@php.net
Crashing just because the upstream library has a bug isn't acceptable. I need to fix this.

Behavior similar to json_encode() for the same input would be acceptable:

    $ php -r 'var_dump(json_encode("\xc2"));'
    PHP Warning:  json_encode(): Invalid UTF-8 sequence in argument in Command line code on line 1
    string(4) "null"
 [2013-11-19 03:04 UTC] bd808@php.net
-Status: Re-Opened +Status: Closed
 [2013-11-19 03:04 UTC] bd808@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-11-19 05:46 UTC] bd808@php.net
Patch included in 1.1.1 release.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 09:01:30 2024 UTC