php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #65236 heap corruption in xml parser
Submitted: 2013-07-10 17:29 UTC Modified: 2013-07-12 14:27 UTC
From: johannes@php.net Assigned: johannes
Status: Closed Package: *XML functions
PHP Version: 5.3.26 OS: *
Private report: No CVE-ID: 2013-4113
 [2013-07-10 17:29 UTC] johannes@php.net
Description:
------------
Badly formed XML might corrupt the heap.

Test script:
---------------
<?php
xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);

Expected result:
----------------
Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated

Actual result:
--------------
heap corruption

Patches

bug65236.diff (last revision 2013-07-10 17:29 UTC) by johannes@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-10 17:29 UTC] johannes@php.net
The following patch has been added/updated:

Patch Name: bug65236.diff
Revision:   1373477384
URL:        https://bugs.php.net/patch-display.php?bug=65236&patch=bug65236.diff&revision=1373477384
 [2013-07-10 17:31 UTC] johannes@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: johannes
 [2013-07-12 14:27 UTC] dsp@php.net
-CVE-ID: +CVE-ID: 2013-4113
 [2013-07-20 19:05 UTC] andy at webtatic dot com
The news page mentions this security fix is in PHP 5.5.1, however the changelog on 
the website has no mention of it. Is it affecting PHP 5.4/5.5 or not?
 [2013-07-20 21:50 UTC] william dot betts at gmail dot com
"The news page mentions this security fix is in PHP 5.5.1, however the changelog 
on the website has no mention of it. Is it affecting PHP 5.4/5.5 or not?"

Yes, versions of than php 5.5 are effected.

$ php -v
PHP 5.4.4 (cli) (built: Jul  4 2012 17:28:56) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans


c.php:
<?php
xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);

$php c.php
Segmentation fault: 11
 [2013-07-21 11:55 UTC] andy at webtatic dot com
Are there other CVE identifiers for the other versions then? As the description of 
the linked CVE mentions only PHP before 5.3.27
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 04:02:11 2014 UTC