|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-08-09 02:53 UTC] fernando at null-life dot com
Description: ------------ PHP-5.6 crashes while processing invalid XML input with wddx_deserialize https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L1170 wddx_stack_top(&stack, (void**)&ent); *return_value = *(ent->data); ent value is null but is not checked and then used to assign the return value. This doesn't happen with PHP-7.0, but the code here changed a little, I guess some of these macro check the value and prevent it from happening: https://github.com/php/php-src/blob/PHP-7.0.9/ext/wddx/wddx.c#L1075 wddx_stack_top(&stack, (void**)&ent); ZVAL_COPY(return_value, &ent->data); Test script: --------------- <?php $xml = <<< XML <?xml version='1.0' ?> <!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> <wddxPacket version='1.0'> |array> <var name="XXXX"> <boolean value="this"> </boolean> </var> <var name="YYYY"> <var name="UUUU"> <var name="EZEZ"> </var> </var> </var> </array> </wddxPacket> XML; $array = wddx_deserialize($xml); var_dump($array); Expected result: ---------------- NULL Actual result: -------------- operac@hp2:~/testafl$ /home/operac/build2/bin/php -n wdxnull56.php ASAN:SIGSEGV ================================================================= ==16677==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000015c6577 bp 0x7ffef52c6b50 sp 0x7ffef52c6a80 T0) #0 0x15c6576 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1177 #1 0x15c7737 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1383 #2 0x1d5b393 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558 #3 0x1c0463c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363 #4 0x194c382 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341 #5 0x169a2df in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613 #6 0x1d64366 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994 #7 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378 #8 0x7f55aeab882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/operac/build2/php-src-56/ext/wddx/wddx.c:1177 php_wddx_deserialize_ex ==16677==ABORTING PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 21:01:28 2024 UTC |
Patch works ok, Thanks again stas. operac@hp2:~/testafl$ cat 72790.php <?php $xml = <<< XML <?xml version='1.0' ?> <!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> <wddxPacket version='1.0'> |array> <var name="XXXX"> <boolean value="this"> </boolean> </var> <var name="YYYY"> <var name="UUUU"> <var name="EZEZ"> </var> </var> </var> </array> </wddxPacket> XML; $array = wddx_deserialize($xml); var_dump($array); operac@hp2:~/testafl$ /home/operac/build2/bin/php -n 72790.php NULL