PHP :: Bug #61143 :: XML Parser segfaults on large xml

Bug #61143	XML Parser segfaults on large xml
Submitted:	2012-02-20 13:11 UTC	Modified:	2012-04-02 00:32 UTC
From:	seth dot mos at dds dot nl	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	5.3.10	OS:	FreeBSD 8.3
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2012-02-20 13:11 UTC] seth dot mos at dds dot nl

Description:
------------
Previously we used PHP 5.2.17 in pfSense 2.0 before we upgraded our build process to the current 5.3.10.

We use the suplied xml to PHP array function in pfSense to convert RRD files and add new fields to RRD files.

Here is the PHP version that we use on pfSense.
[2.1-DEVELOPMENT][root@pfsense.localdomain]/root(1): php -v
PHP 5.3.10 with Suhosin-Patch (cgi-fcgi) (built: Feb 17 2012 14:05:19)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
    with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH


$xml = file_get_contents("wan-traffic.rrd.old.xml");
$array = xml2array($xml, 1, "tag");
/* this ^^ causes a segfault */

Please see the complete code below and a test file to work on.

Test script:
---------------
PHP code that triggers our crash, please download the entire code and XML file from:

http://iserv.nl/files/pfsense/php/wan-traffic.rrd.old.xml
http://iserv.nl/files/pfsense/php/testscript.txt


Expected result:
----------------
Return a array of the XML data.

Actual result:
--------------
PHP core dumps with a signal 11.
http://iserv.nl/files/pfsense/php/php%20core%20dump%205.3.10%20freebsd%208.3.png

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-02-20 17:50 UTC] rasmus@php.net

-Status: Open +Status: Feedback

[2012-02-20 17:50 UTC] rasmus@php.net

I tried to reproduce this crash with the provided files on both Linux and FreeBSD 
and was unable to. We'll need more information. Could you get a backtrace for us? 
And second, could you try it without Suhosin enabled?

[2012-02-27 19:16 UTC] seth dot mos at dds dot nl

-Status: Feedback +Status: Closed

[2012-02-27 19:16 UTC] seth dot mos at dds dot nl

Just confirmed that disabling the Suhosin extension in our PHP 5.3.10 build succesfully resolves the crash.

We will take this up with the Suhosin maintainers.

Kind regards,

[2012-03-13 13:25 UTC] seth dot mos at dds dot nl

I managed to get a core file and the output from truss.
This is from a PHP with  Suhosin, without Suhosin PHP does not core dump

http://iserv.nl/files/pfsense/phpcore/

Not sure if that is enough.

[2012-03-15 13:15 UTC] seth dot mos at dds dot nl

Hi,

Please find a full backtrace of the Segfault here.
http://redmine.pfsense.org/attachments/download/557/php-gdb-full.txt

Kind regards,

Seth

[2012-03-15 13:17 UTC] seth dot mos at dds dot nl

-Status: Closed +Status: Assigned

[2012-03-15 13:17 UTC] seth dot mos at dds dot nl

Added link to the backtrace with Suhosin enabled. Also notified the Suhosin 
maintainer with this backtrace.

[2012-03-15 15:38 UTC] pajoye@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2012-03-15 15:38 UTC] pajoye@php.net

-Status: Assigned +Status: Feedback

[2012-03-15 15:40 UTC] pajoye@php.net

I mean a backtrace without suhosin (be the ext or the patch) but using a plain 
vanilla php.

#2  0x0000000804db9965 in zif_suhosin_extract ... at 
/usr/ports/lang/php5/work/php-5.3.10/Zend/zend_hash.c:54

sounds suspect.

[2012-03-31 11:18 UTC] seth dot mos at dds dot nl

Core dump was related to a out of date Suhosin patch for the PHP5 port in FreeBSD

[2012-03-31 11:18 UTC] seth dot mos at dds dot nl

-Status: Feedback +Status: Closed

[2012-04-02 00:32 UTC] aharvey@php.net

-Status: Closed +Status: Not a bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri May 10 23:01:30 2024 UTC