PHP :: Bug #72210 :: null ptr deref _xml_add_to

Bug #72210	null ptr deref _xml_add_to_info (xml.c:687)
Submitted:	2016-05-12 19:31 UTC	Modified:	2016-07-25 18:10 UTC
From:	brian dot carpenter at gmail dot com	Assigned:	tpunt (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	N/A	OS:	Debian 8.2 x64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-05-12 19:31 UTC] brian dot carpenter at gmail dot com

Description:
------------
Using the test script in Bug #72099 with PHP 7.1.0-dev (cli) (built: May  6 2016 15:15:38), I'm seeing a null pointer deref.

Test script:
---------------
<?php

$var1=xml_parser_create_ns();
$var2="<xss>";
xml_parse($var1, $var2);

$var2=str_repeat("a", 10);
$var3=[];
$var4=[];
xml_parse_into_struct($var1, $var2, $var3, $var4);
var_dump($var3);

Expected result:
----------------
No crash.

Actual result:
--------------
==126942== Invalid read of size 1
==126942==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==126942==    by 0x11DC7AF: _xml_add_to_info (xml.c:687)
==126942==    by 0x11DC7AF: _xml_characterDataHandler (xml.c:924)
==126942==    by 0x5BEB1B4: xmlParseCharData (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF84CB: xmlParseTryOrFinish (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF8E2D: xmlParseChunk (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x11E7098: php_XML_Parse (compat.c:596)
==126942==    by 0x11D39E1: zif_xml_parse_into_struct (xml.c:1450)
==126942==    by 0x169757E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:615)
==126942==    by 0x1645B42: execute_ex (zend_vm_execute.h:425)
==126942==    by 0x188EFE0: zend_execute (zend_vm_execute.h:470)
==126942==    by 0x145EDD7: zend_execute_scripts (zend.c:1427)
==126942==    by 0x120AD3F: php_execute_script (main.c:2492)
==126942==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==126942== 
==126942== 
==126942== Process terminating with default action of signal 11 (SIGSEGV)
==126942==  Access not within mapped region at address 0x0
==126942==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==126942==    by 0x11DC7AF: _xml_add_to_info (xml.c:687)
==126942==    by 0x11DC7AF: _xml_characterDataHandler (xml.c:924)
==126942==    by 0x5BEB1B4: xmlParseCharData (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF84CB: xmlParseTryOrFinish (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF8E2D: xmlParseChunk (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x11E7098: php_XML_Parse (compat.c:596)
==126942==    by 0x11D39E1: zif_xml_parse_into_struct (xml.c:1450)
==126942==    by 0x169757E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:615)
==126942==    by 0x1645B42: execute_ex (zend_vm_execute.h:425)
==126942==    by 0x188EFE0: zend_execute (zend_vm_execute.h:470)
==126942==    by 0x145EDD7: zend_execute_scripts (zend.c:1427)
==126942==    by 0x120AD3F: php_execute_script (main.c:2492)
==126942==  If you believe this happened as a result of a stack
==126942==  overflow in your program's main thread (unlikely but
==126942==  possible), you can try to increase the size of the
==126942==  main thread stack using the --main-stacksize= flag.
==126942==  The main thread stack size used in this run was 8388608.
Segmentation fault

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000011dc7b0 in _xml_add_to_info (name=0x0, parser=0x7ffff6078000) at /home/geeknik/php-src/ext/xml/xml.c:687
#2  _xml_characterDataHandler (userData=0x7ffff6078000, s=<optimized out>, len=<optimized out>) at /home/geeknik/php-src/ext/xml/xml.c:924
#3  0x00007ffff6d451b5 in xmlParseCharData__internal_alias (ctxt=ctxt@entry=0x2138850, cdata=cdata@entry=0) at ../../parser.c:4579
#4  0x00007ffff6d524cc in xmlParseTryOrFinish (ctxt=ctxt@entry=0x2138850, terminate=terminate@entry=1) at ../../parser.c:11658
#5  0x00007ffff6d52e2e in xmlParseChunk__internal_alias (ctxt=0x2138850, chunk=0x7ffff60601f8 "aaaaaaaaaa", size=10, terminate=terminate@entry=1)
    at ../../parser.c:12397
#6  0x00000000011e7099 in php_XML_Parse (parser=0x7ffff6085000, data=<optimized out>, data_len=<optimized out>, is_final=is_final@entry=1)
    at /home/geeknik/php-src/ext/xml/compat.c:596
#7  0x00000000011d39e2 in zif_xml_parse_into_struct (execute_data=<optimized out>, return_value=0x7fffffffa8c0) at /home/geeknik/php-src/ext/xml/xml.c:1450
#8  0x000000000169757f in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:615
#9  0x0000000001645b43 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:425
#10 0x000000000188efe1 in zend_execute (op_array=op_array@entry=0x7ffff6086280, return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:470
#11 0x000000000145edd8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=-167698384, file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1427
#12 0x000000000120ad40 in php_execute_script (primary_file=0x7fffffffcf20) at /home/geeknik/php-src/main/main.c:2492
#13 0x000000000189ae95 in do_cli (argc=0, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:982
#14 0x0000000000450dd1 in main (argc=0, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:1352

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-05-13 05:31 UTC] krakjoe@php.net

-PHP Version: 7.0Git-2016-05-12 (Git) +PHP Version: N/A

[2016-05-13 05:31 UTC] krakjoe@php.net

Also occurs in 5.

[2016-07-25 18:10 UTC] tpunt@php.net

Looking at the affected versions, this appears to have been fixed in later patch releases and in master a few months ago:
https://3v4l.org/WbEV0

I'm therefore closing this as resolved - please reply back here if this is not the case.

[2016-07-25 18:10 UTC] tpunt@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: tpunt

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jul 04 20:01:35 2025 UTC