php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72540 yaml_parse_url assertion
Submitted: 2016-07-04 03:40 UTC Modified: 2017-07-29 19:36 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: fernando at null-life dot com Assigned: bd808 (profile)
Status: Closed Package: yaml (PECL)
PHP Version: 7.0.8 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-07-04 03:40 UTC] fernando at null-life dot com
Description:
------------
yaml_parse_url fails with an abort when the passed stream/file is empty, maybe an exception/error should be returned here.

Test script:
---------------
<?php

touch("x");
$v1="x"; $v2=3;
yaml_parse_url($v1, $v2);

Expected result:
----------------
no crash

Actual result:
--------------
crash

pwneable:matatetete fmunozs$ php x.php 
Assertion failed: (input), function yaml_parser_set_input_string, file api.c, line 288.
Abort trap: 6


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-04 05:35 UTC] laruence@php.net
-Package: Reproducible crash +Package: yaml
 [2016-09-24 23:12 UTC] bd808@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: bd808
 [2016-09-24 23:12 UTC] bd808@php.net
Affects both 2.0.0 (PHP7) and 1.3.0 (PHP5).

PHP5 crash output is:

    php: api.c:288: yaml_parser_set_input_string: Assertion `input' failed.
    Aborted (core dumped)

yaml_parser_set_input_string is a function from libyaml. That upstream function includes an assert() for non-null input. The extension needs to check for this degenerate case and handle it more gracefully. It would be in keeping with the rest of the API to emit a warning and return null.
 [2017-07-29 16:22 UTC] bd808@php.net
The crash is actually caused by a failure to check the return value of php_stream_copy_to_mem() and then freeing a null pointer. This is a variation on https://bugs.php.net/bug.php?id=70862
 [2017-07-29 19:36 UTC] bd808@php.net
-Status: Verified +Status: Closed
 [2017-07-29 19:36 UTC] bd808@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Dec 06 09:03:34 2021 UTC