PHP :: Sec Bug #65236 :: heap corruption in xml parser

Sec Bug #65236	heap corruption in xml parser
Submitted:	2013-07-10 17:29 UTC	Modified:	2013-07-12 14:27 UTC
From:	johannes@php.net	Assigned:	johannes (profile)
Status:	Closed	Package:	*XML functions
PHP Version:	5.3.26	OS:	*
Private report:	No	CVE-ID:	2013-4113

View Developer Edit

[2013-07-10 17:29 UTC] johannes@php.net

Description:
------------
Badly formed XML might corrupt the heap.

Test script:
---------------
<?php
xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);

Expected result:
----------------
Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated

Actual result:
--------------
heap corruption

Patches

bug65236.diff (last revision 2013-07-10 17:29 UTC by johannes@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-07-10 17:29 UTC] johannes@php.net

The following patch has been added/updated:

Patch Name: bug65236.diff
Revision:   1373477384
URL:        https://bugs.php.net/patch-display.php?bug=65236&patch=bug65236.diff&revision=1373477384

[2013-07-10 17:31 UTC] johannes@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: johannes

[2013-07-10 17:31 UTC] johannes@php.net

Fixed by rrichards in http://git.php.net/?p=php-src.git;a=commit;h=7d163e8a0880ae8af2dd869071393e5dc07ef271

[2013-07-12 14:27 UTC] dsp@php.net

-CVE-ID: +CVE-ID: 2013-4113

[2013-07-20 19:05 UTC] andy at webtatic dot com

The news page mentions this security fix is in PHP 5.5.1, however the changelog on 
the website has no mention of it. Is it affecting PHP 5.4/5.5 or not?

[2013-07-20 21:50 UTC] william dot betts at gmail dot com

"The news page mentions this security fix is in PHP 5.5.1, however the changelog 
on the website has no mention of it. Is it affecting PHP 5.4/5.5 or not?"

Yes, versions of than php 5.5 are effected.

$ php -v
PHP 5.4.4 (cli) (built: Jul  4 2012 17:28:56) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans


c.php:
<?php
xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);

$php c.php
Segmentation fault: 11

[2013-07-21 11:55 UTC] andy at webtatic dot com

Are there other CVE identifiers for the other versions then? As the description of 
the linked CVE mentions only PHP before 5.3.27

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 05:00:02 2025 UTC