|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72799 wddx_deserialize null dereference in php_wddx_pop_element
Submitted: 2016-08-10 04:29 UTC Modified: 2016-09-05 15:29 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: 5.6.24 OS: *
Private report: No CVE-ID: 2016-7132
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
31 + 44 = ?
Subscribe to this entry?

 [2016-08-10 04:29 UTC] fernando at null-life dot com
If we add an element to boolean leaf of XML struct, a null pointer dereference will happen when the element is popped. 

Source code:

static void php_wddx_pop_element(void *user_data, const XML_Char *name)
  if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
    target_hash = HASH_OF(ent2->data);

GDB output

$ gdb -q --args  /home/operac/build2/bin/php -n wdx13bis.php
Stopped reason: SIGSEGV
0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
997   if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
gdb-peda$ bt
#0  0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
#1  0x00000000015eca92 in _end_element_handler (user=0x7ffff7f30650, name=<optimized out>) at /home/operac/build2/php-src-56/ext/xml/compat.c:228
gdb-peda$ p *ent2
$2 = {
  data = 0x0,                      
  type = ST_BOOLEAN,
  varname = 0x0

Test script:

$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
    <var name="XXXX">
        <boolean value="1">

$array = wddx_deserialize($xml);

Expected result:
No crash

Actual result:
operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -v 
PHP 5.6.26-dev (cli) (built: Aug  7 2016 02:21:28) (DEBUG)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -n wdx2.php
==18201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000015a8f84 bp 0x7ffc7e2c8dc0 sp 0x7ffc7e2c8c80 T0)
    #0 0x15a8f83 in php_wddx_pop_element /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
    #1 0x15eca91 in _end_element_handler /home/operac/build2/php-src-56/ext/xml/compat.c:228
    #2 0x7f3964cac13c  (/usr/lib/x86_64-linux-gnu/
    #3 0x7f3964cb83bc  (/usr/lib/x86_64-linux-gnu/
    #4 0x7f3964cb962a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/
    #5 0x15efa8a in php_XML_Parse /home/operac/build2/php-src-56/ext/xml/compat.c:605
    #6 0x15c6f82 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1175
    #7 0x15c8037 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1387
    #8 0x1d5bdc3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #9 0x1c0506c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #10 0x194cdb2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #11 0x169ad0f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #12 0x1d64d96 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #13 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #14 0x7f3963f4b82f in __libc_start_main (/lib/x86_64-linux-gnu/
    #15 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-11 06:45 UTC]
-Assigned To: +Assigned To: stas
 [2016-08-11 06:45 UTC]
the patch in
 (also a14fdb9746262549bbbb96abb87338bacd147e1b) should fix it.

Please verify.
 [2016-08-11 20:55 UTC] fernando at null-life dot com
Patch works OK. Thanks.

operac@hp2:~/testafl$ /home/operac/build2/bin/php -n 72799.php
operac@hp2:~/testafl$ cat 72799.php

$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
    <var name="XXXX">
        <boolean value="1">

$array = wddx_deserialize($xml);

 [2016-08-15 06:00 UTC]
-CVE-ID: +CVE-ID: needed
 [2016-08-17 06:43 UTC]
-Status: Assigned +Status: Closed
 [2016-08-17 06:43 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2016-09-05 15:29 UTC]
-CVE-ID: needed +CVE-ID: 2016-7132
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue May 18 09:01:24 2021 UTC