php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61770 Crash on nonunicode character
Submitted: 2012-04-18 23:31 UTC Modified: 2013-11-19 03:04 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: phpbug at kartio dot org Assigned: bd808
Status: Closed Package: yaml (PECL)
PHP Version: 5.3.10 OS: Linux
Private report: No CVE-ID:
 [2012-04-18 23:31 UTC] phpbug at kartio dot org
Description:
------------
Will crash on some character sequences that are not valid unicode. Trying to print same character with valid utf-8 sequence doesn't crash.

Test script:
---------------
yaml_emit("\xc2");

Actual result:
--------------
PHP Warning:  yaml_emit(): Memory error: Not enough memory for creating an event (libyaml) in php shell code on line 1

*** glibc detected *** /usr/bin/php: double free or corruption (fasttop): 0x09537278 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6(+0x6b381)[0xb6f4a381]
/lib/i686/cmov/libc.so.6(+0x6cbd8)[0xb6f4bbd8]
/lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb6f4ecbd]
/usr/lib/libyaml-0.so.2(yaml_free+0x21)[0xb6316631]
/usr/lib/libyaml-0.so.2(yaml_event_delete+0x9e)[0xb631687e]
/usr/lib/php5/20090626+lfs/yaml.so(+0x5c05)[0xb6336c05]
/usr/lib/php5/20090626+lfs/yaml.so(+0x62f8)[0xb63372f8]
/usr/lib/php5/20090626+lfs/yaml.so(+0x664b)[0xb633764b]
/usr/lib/php5/20090626+lfs/yaml.so(php_yaml_write_impl+0x12e)[0xb6337b8e]
/usr/lib/php5/20090626+lfs/yaml.so(+0x26e4)[0xb63336e4]
/usr/bin/php(execute_internal+0x4b)[0x8364f5b]
...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-04-30 03:57 UTC] bd808@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: bd808
 [2012-04-30 05:48 UTC] bd808@php.net
Looks like this is an issue interacting with the underlying libyaml library. There is a note in the writer.c source file that says "Note that we assume that the buffer contains a valid UTF-8 sequence." Currently the extension makes no attempt to validate/cleanse the php input string prior to passing it to libyaml.

This could be handled in a couple of ways:
- document the need to ensure valid UTF-8 input
- depend on iconv and ensure valid encoding inside the yaml extension
 [2012-05-03 16:15 UTC] alpacagm at gmail dot com
Corresponding ticket in libyaml bugtracker
http://pyyaml.org/ticket/138 looks dead.
 [2013-04-19 04:22 UTC] bd808@php.net
-Status: Verified +Status: Wont fix
 [2013-11-19 02:17 UTC] bd808@php.net
-Status: Wont fix +Status: Re-Opened
 [2013-11-19 02:17 UTC] bd808@php.net
Crashing just because the upstream library has a bug isn't acceptable. I need to fix this.

Behavior similar to json_encode() for the same input would be acceptable:

    $ php -r 'var_dump(json_encode("\xc2"));'
    PHP Warning:  json_encode(): Invalid UTF-8 sequence in argument in Command line code on line 1
    string(4) "null"
 [2013-11-19 03:04 UTC] bd808@php.net
-Status: Re-Opened +Status: Closed
 [2013-11-19 03:04 UTC] bd808@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-11-19 05:46 UTC] bd808@php.net
Patch included in 1.1.1 release.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Feb 24 06:01:39 2017 UTC