php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51615 PHP crash with wrong HTML in SimpleXML
Submitted: 2010-04-20 13:28 UTC Modified: 2010-04-20 18:24 UTC
From: vrana@php.net Assigned: felipe
Status: Closed Package: SimpleXML related
PHP Version: 5.3.2 OS: Windows XP
Private report: No CVE-ID:
 [2010-04-20 13:28 UTC] vrana@php.net
Description:
------------
It is possible to load incorrect HTML by DOM and import it to simplexml_import_dom().

Under certain circumstances, PHP crashes after attempt of working with this HTML.

Test script:
---------------
<?php
$dom = new DOMDocument;
$dom->loadHTML('<span title=""y">x</span>');
$html = simplexml_import_dom($dom);
echo ($html->body->span ? $html->body->span : '');
?>


Expected result:
----------------
x

Actual result:
--------------
Thread 0 - System ID 5696
Entry point   php!mainCRTStartup 
Create time   20.4. 13:24:02 
Time spent in user mode   0 Days 0:0:0.437 
Time spent in kernel mode   0 Days 0:0:0.140 

Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!_estrdup+d     00000000     01cbd968     00000000    
php5ts!sxe_get_prop_hash+1b8     011d0c78     011d0a60     00372740    
php5ts!sxe_object_cast+36     011d08b0     00c0fb94     00000003    
php5ts!ZEND_JMPZ_SPEC_VAR_HANDLER+12f     00c0fc0c     00372740     00c0fea8    
php5ts!execute+2fe     01200080     00372700     00000000    
php5ts!zend_execute_scripts+f6     00000008     00372740     00000000    
php5ts!php_execute_script+245     00c0fea8     00372740     00000000    
php!main+bf1     00000002     003726d0     00372cd0    
php!mainCRTStartup+e3     00000000     00000000     7ffdf000    
kernel32!BaseProcessStart+23     00402d78     00000000     00000000    

PHP5TS!_ESTRDUP+DIn php__PID__5476__Date__04_20_2010__Time_01_24_03PM__267__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!_estrdup+d in C:\Program Files\PHP\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000000 on thread 0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-20 18:24 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=298224
Log: - Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML)
 [2010-04-20 18:24 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-04-20 18:24 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 01:01:59 2014 UTC