|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesbug73135.patch (last revision 2016-10-16 06:56 UTC by edgar dot r dot sandi at gmail dot com)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-25 23:09 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-10-16 07:01 UTC] edgar dot r dot sandi at gmail dot com
[2016-10-17 13:35 UTC] cmb@php.net
-Package: XML Reader
+Package: XML related
[2017-01-08 17:21 UTC] krakjoe@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: krakjoe
[2017-01-08 17:21 UTC] krakjoe@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 05:00:02 2025 UTC |
Description: ------------ when PHP (all version ) trying to parse an xml , it crash inside libxml. Test script: --------------- <?php function start_elem($parser) { xml_parse($parser, $xml); } $xml = <<<HERE <a xmlns="ahihi"> <bar foo="ahihi"/> </a> HERE; $parser = xml_parser_create_ns(); xml_set_element_handler($parser,'start_elem','ahihi'); xml_parse($parser, $xml); Expected result: ---------------- No crash Actual result: -------------- $ gdb php-src-PHP-5.6.26/sapi/cli/php GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 ... gdb-peda$ r crash.php Starting program: /home/s/php/php-src-PHP-5.6.26/sapi/cli/php crash.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x61 ('a') RBX: 0x16a4780 --> 0x16a1f20 --> 0x0 RCX: 0x16a20f0 --> 0x16a24d0 --> 0x0 RDX: 0x16a279a --> 0x3e61 ('a>') RSI: 0x0 RDI: 0x16a4780 --> 0x16a1f20 --> 0x0 RBP: 0x0 RSP: 0x7fffffff9860 --> 0x16a2795 --> 0x3e612f3c0a3e2f ('/>\n</a>') RIP: 0x7ffff65b1b3a (movzx r9d,BYTE PTR [rbp+0x0]) R8 : 0x101 R9 : 0x0 R10: 0x16a20f0 --> 0x16a24d0 --> 0x0 R11: 0x6 R12: 0x0 R13: 0x101 R14: 0x0 R15: 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff65b1b33: movzx eax,BYTE PTR [rdx] 0x7ffff65b1b36: test al,al 0x7ffff65b1b38: je 0x7ffff65b1b78 => 0x7ffff65b1b3a: movzx r9d,BYTE PTR [rbp+0x0] 0x7ffff65b1b3f: cmp al,r9b 0x7ffff65b1b42: jne 0x7ffff65b1ba0 0x7ffff65b1b44: mov eax,DWORD PTR [r10+0x38] 0x7ffff65b1b48: mov rcx,rbp [------------------------------------stack-------------------------------------] 0000| 0x7fffffff9860 --> 0x16a2795 --> 0x3e612f3c0a3e2f ('/>\n</a>') 0008| 0x7fffffff9868 --> 0x16a4780 --> 0x16a1f20 --> 0x0 0016| 0x7fffffff9870 --> 0x0 0024| 0x7fffffff9878 --> 0x7ffff65bac5f (mov r15,rax) 0032| 0x7fffffff9880 --> 0x1 0040| 0x7fffffff9888 --> 0x7ffff65b47f9 (<xmlParseCharData+393>: mov r8,QWORD PTR [r14+0x38]) 0048| 0x7fffffff9890 --> 0x7fffffff9910 --> 0x7fffffff9958 --> 0x1453bd0 --> 0x700000008 0056| 0x7fffffff9898 --> 0xaad65f (<zend_parse_arg+87>: mov QWORD PTR [rbp-0x20],rax) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff65b1b3a in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 gdb-peda$ bt #0 0x00007ffff65b1b3a in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #1 0x00007ffff65bac5f in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #2 0x00007ffff65c0723 in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #3 0x00007ffff65c213e in xmlParseChunk () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #4 0x000000000096188b in php_XML_Parse (parser=0x7ffff7fcd9e8, data=0x7ffff7e92058 "", data_len=0x0, is_final=0x0) at /home/s/php/php-src-PHP-5.6.26/ext/xml/compat.c:605 #5 0x000000000095f22c in zif_xml_parse (ht=0x2, return_value=0x7ffff7fcb640, return_value_ptr=0x7ffff7f95470, this_ptr=0x0, return_value_used=0x0) at /home/s/php/php-src-PHP-5.6.26/ext/xml/xml.c:1459 #6 0x0000000000aefaef in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f95488) at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:558 #7 0x0000000000af53d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f95488) at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:2602 #8 0x0000000000aef15e in execute_ex (execute_data=0x7ffff7f95488) at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363 #9 0x0000000000aef1e7 in zend_execute (op_array=0x16a2670) at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388 #10 0x0000000000a94a4d in zend_call_function (fci=0x7fffffff9e40, fci_cache=0x7fffffff9d00) ....