PHP :: Sec Bug #72799 :: wddx_deserialize null dereference in php_wddx_pop

Sec Bug #72799	wddx_deserialize null dereference in php_wddx_pop_element
Submitted:	2016-08-10 04:29 UTC	Modified:	2016-09-05 15:29 UTC
From:	fernando at null-life dot com	Assigned:	stas (profile)
Status:	Closed	Package:	WDDX related
PHP Version:	5.6.24	OS:	*
Private report:	No	CVE-ID:	2016-7132

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-08-10 04:29 UTC] fernando at null-life dot com

Description:
------------
If we add an element to boolean leaf of XML struct, a null pointer dereference will happen when the element is popped. 

Source code:
https://github.com/php/php-src/blob/PHP-5.6.24/ext/wddx/wddx.c#L985

static void php_wddx_pop_element(void *user_data, const XML_Char *name)
{
...
  if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
    target_hash = HASH_OF(ent2->data);
...

GDB output
----------

$ gdb -q --args  /home/operac/build2/bin/php -n wdx13bis.php
...
Stopped reason: SIGSEGV
0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
997   if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
gdb-peda$ bt
#0  0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
#1  0x00000000015eca92 in _end_element_handler (user=0x7ffff7f30650, name=<optimized out>) at /home/operac/build2/php-src-56/ext/xml/compat.c:228
...
gdb-peda$ p *ent2
$2 = {
  data = 0x0,                      
  type = ST_BOOLEAN,
  varname = 0x0
}

Test script:
---------------
<?php

$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
    <var name="XXXX">
        <boolean value="1">
            <dateTime>1998-06-12T04:32:12+00</dateTime>
        </boolean>
    </var>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);


Expected result:
----------------
No crash


Actual result:
--------------
operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -v 
PHP 5.6.26-dev (cli) (built: Aug  7 2016 02:21:28) (DEBUG)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -n wdx2.php
ASAN:SIGSEGV
=================================================================
==18201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000015a8f84 bp 0x7ffc7e2c8dc0 sp 0x7ffc7e2c8c80 T0)
    #0 0x15a8f83 in php_wddx_pop_element /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
    #1 0x15eca91 in _end_element_handler /home/operac/build2/php-src-56/ext/xml/compat.c:228
    #2 0x7f3964cac13c  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4a13c)
    #3 0x7f3964cb83bc  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x563bc)
    #4 0x7f3964cb962a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5762a)
    #5 0x15efa8a in php_XML_Parse /home/operac/build2/php-src-56/ext/xml/compat.c:605
    #6 0x15c6f82 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1175
    #7 0x15c8037 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1387
    #8 0x1d5bdc3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #9 0x1c0506c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #10 0x194cdb2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #11 0x169ad0f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #12 0x1d64d96 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #13 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #14 0x7f3963f4b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-11 06:45 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-08-11 06:45 UTC] stas@php.net

the patch in https://gist.github.com/7e603b8b2c76cd6eed9a33a20a9525d4
 (also a14fdb9746262549bbbb96abb87338bacd147e1b) should fix it.

Please verify.

[2016-08-11 20:55 UTC] fernando at null-life dot com

Patch works OK. Thanks.

operac@hp2:~/testafl$ /home/operac/build2/bin/php -n 72799.php
NULL
operac@hp2:~/testafl$ cat 72799.php
<?php

$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
    <var name="XXXX">
        <boolean value="1">
            <dateTime>1998-06-12T04:32:12+00</dateTime>
        </boolean>
    </var>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);

var_dump($array);

[2016-08-15 06:00 UTC] stas@php.net

-CVE-ID: +CVE-ID: needed

[2016-08-17 06:43 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-08-17 06:43 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2016-09-05 15:29 UTC] remi@php.net

-CVE-ID: needed +CVE-ID: 2016-7132

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC