PHP :: Bug #64694 :: segfault when array used as mapping key

Bug #64694	segfault when array used as mapping key
Submitted:	2013-04-23 00:01 UTC	Modified:	2013-11-17 00:43 UTC
From:	me at fixxxer dot me	Assigned:	bd808 (profile)
Status:	Closed	Package:	yaml (PECL)
PHP Version:	5.4Git-2013-04-22 (snap)	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	me at fixxxer dot me
New email:
PHP Version:		OS:

New Comment:

[2013-04-23 00:01 UTC] me at fixxxer dot me

Description:
------------
Pecl/yaml segfaults on malformed yaml with array keys (see the test script).

The patch attached fixes the problem.

The simple fix is to check for null pointer on the SCALAR_TAG_IS macros. But I see 
absolutely no sense in returning serialized data from convert_to_char() which is 
used only for keys. So I've just dropped the serialization block, and handle the 
null return.

Test script:
---------------
<?php

dl('yaml.so');

$yaml=<<<E
[a]:
    1
E;
yaml_parse($yaml);

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

0x00007ffff63812a5 in handle_mapping (state=0x7fffffffa7a0) at 
/home/build/pkgbuild/php54/php-5.4.13/php-build-stamp-cli/yaml/parse.c:432

432			if (IS_NOT_QUOTED_OR_TAG_IS(key_event, YAML_MERGE_TAG) &&

Patches

yaml.array-key.patch (last revision 2013-04-23 00:01 UTC by me at fixxxer dot me)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-11-16 22:13 UTC] bd808@php.net

-Summary: segfault on malformed yaml +Summary: segfault when array used as mapping key -Assigned To: +Assigned To: bd808

[2013-11-16 22:13 UTC] bd808@php.net

Interestingly this is not malformed YAML. According to the YAML 1.1 spec using an array as the key for a mapping value is perfectly legitimate [0].

Obviously causing PHP to segfault is a bug however.

[0]: http://yaml.org/spec/1.1/#id933629

[2013-11-17 00:43 UTC] bd808@php.net

-Status: Assigned +Status: Closed

[2013-11-17 00:43 UTC] bd808@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2013-11-19 05:47 UTC] bd808@php.net

Patch included in 1.1.1 release.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 08:01:31 2024 UTC