php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72210 null ptr deref _xml_add_to_info (xml.c:687)
Submitted: 2016-05-12 19:31 UTC Modified: 2016-07-25 18:10 UTC
From: brian dot carpenter at gmail dot com Assigned: tpunt (profile)
Status: Closed Package: Reproducible crash
PHP Version: N/A OS: Debian 8.2 x64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-05-12 19:31 UTC] brian dot carpenter at gmail dot com
Description:
------------
Using the test script in Bug #72099 with PHP 7.1.0-dev (cli) (built: May  6 2016 15:15:38), I'm seeing a null pointer deref.

Test script:
---------------
<?php

$var1=xml_parser_create_ns();
$var2="<xss>";
xml_parse($var1, $var2);

$var2=str_repeat("a", 10);
$var3=[];
$var4=[];
xml_parse_into_struct($var1, $var2, $var3, $var4);
var_dump($var3);

Expected result:
----------------
No crash.

Actual result:
--------------
==126942== Invalid read of size 1
==126942==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==126942==    by 0x11DC7AF: _xml_add_to_info (xml.c:687)
==126942==    by 0x11DC7AF: _xml_characterDataHandler (xml.c:924)
==126942==    by 0x5BEB1B4: xmlParseCharData (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF84CB: xmlParseTryOrFinish (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF8E2D: xmlParseChunk (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x11E7098: php_XML_Parse (compat.c:596)
==126942==    by 0x11D39E1: zif_xml_parse_into_struct (xml.c:1450)
==126942==    by 0x169757E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:615)
==126942==    by 0x1645B42: execute_ex (zend_vm_execute.h:425)
==126942==    by 0x188EFE0: zend_execute (zend_vm_execute.h:470)
==126942==    by 0x145EDD7: zend_execute_scripts (zend.c:1427)
==126942==    by 0x120AD3F: php_execute_script (main.c:2492)
==126942==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==126942== 
==126942== 
==126942== Process terminating with default action of signal 11 (SIGSEGV)
==126942==  Access not within mapped region at address 0x0
==126942==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==126942==    by 0x11DC7AF: _xml_add_to_info (xml.c:687)
==126942==    by 0x11DC7AF: _xml_characterDataHandler (xml.c:924)
==126942==    by 0x5BEB1B4: xmlParseCharData (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF84CB: xmlParseTryOrFinish (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF8E2D: xmlParseChunk (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x11E7098: php_XML_Parse (compat.c:596)
==126942==    by 0x11D39E1: zif_xml_parse_into_struct (xml.c:1450)
==126942==    by 0x169757E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:615)
==126942==    by 0x1645B42: execute_ex (zend_vm_execute.h:425)
==126942==    by 0x188EFE0: zend_execute (zend_vm_execute.h:470)
==126942==    by 0x145EDD7: zend_execute_scripts (zend.c:1427)
==126942==    by 0x120AD3F: php_execute_script (main.c:2492)
==126942==  If you believe this happened as a result of a stack
==126942==  overflow in your program's main thread (unlikely but
==126942==  possible), you can try to increase the size of the
==126942==  main thread stack using the --main-stacksize= flag.
==126942==  The main thread stack size used in this run was 8388608.
Segmentation fault

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000011dc7b0 in _xml_add_to_info (name=0x0, parser=0x7ffff6078000) at /home/geeknik/php-src/ext/xml/xml.c:687
#2  _xml_characterDataHandler (userData=0x7ffff6078000, s=<optimized out>, len=<optimized out>) at /home/geeknik/php-src/ext/xml/xml.c:924
#3  0x00007ffff6d451b5 in xmlParseCharData__internal_alias (ctxt=ctxt@entry=0x2138850, cdata=cdata@entry=0) at ../../parser.c:4579
#4  0x00007ffff6d524cc in xmlParseTryOrFinish (ctxt=ctxt@entry=0x2138850, terminate=terminate@entry=1) at ../../parser.c:11658
#5  0x00007ffff6d52e2e in xmlParseChunk__internal_alias (ctxt=0x2138850, chunk=0x7ffff60601f8 "aaaaaaaaaa", size=10, terminate=terminate@entry=1)
    at ../../parser.c:12397
#6  0x00000000011e7099 in php_XML_Parse (parser=0x7ffff6085000, data=<optimized out>, data_len=<optimized out>, is_final=is_final@entry=1)
    at /home/geeknik/php-src/ext/xml/compat.c:596
#7  0x00000000011d39e2 in zif_xml_parse_into_struct (execute_data=<optimized out>, return_value=0x7fffffffa8c0) at /home/geeknik/php-src/ext/xml/xml.c:1450
#8  0x000000000169757f in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:615
#9  0x0000000001645b43 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:425
#10 0x000000000188efe1 in zend_execute (op_array=op_array@entry=0x7ffff6086280, return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:470
#11 0x000000000145edd8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=-167698384, file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1427
#12 0x000000000120ad40 in php_execute_script (primary_file=0x7fffffffcf20) at /home/geeknik/php-src/main/main.c:2492
#13 0x000000000189ae95 in do_cli (argc=0, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:982
#14 0x0000000000450dd1 in main (argc=0, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:1352

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-13 05:31 UTC] krakjoe@php.net
-PHP Version: 7.0Git-2016-05-12 (Git) +PHP Version: N/A
 [2016-05-13 05:31 UTC] krakjoe@php.net
Also occurs in 5.
 [2016-07-25 18:10 UTC] tpunt@php.net
Looking at the affected versions, this appears to have been fixed in later patch releases and in master a few months ago:
https://3v4l.org/WbEV0

I'm therefore closing this as resolved - please reply back here if this is not the case.
 [2016-07-25 18:10 UTC] tpunt@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: tpunt
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 13:01:29 2024 UTC