php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73135 malform xml cause php segfault
Submitted: 2016-09-21 02:30 UTC Modified: 2017-01-08 17:21 UTC
From: ahihibughunter at gmail dot com Assigned: krakjoe (profile)
Status: Closed Package: XML related
PHP Version: 7.0.11 OS: ALL
Private report: No CVE-ID: None
 [2016-09-21 02:30 UTC] ahihibughunter at gmail dot com
Description:
------------
when PHP (all version ) trying to parse an xml , it crash inside libxml.

Test script:
---------------
<?php
function start_elem($parser) {
        xml_parse($parser, $xml);
}

$xml = <<<HERE
<a xmlns="ahihi">
  <bar foo="ahihi"/>
</a>
HERE;

$parser = xml_parser_create_ns();
xml_set_element_handler($parser,'start_elem','ahihi');
xml_parse($parser, $xml);


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb php-src-PHP-5.6.26/sapi/cli/php 
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
gdb-peda$ r crash.php 
Starting program: /home/s/php/php-src-PHP-5.6.26/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x61 ('a')
RBX: 0x16a4780 --> 0x16a1f20 --> 0x0 
RCX: 0x16a20f0 --> 0x16a24d0 --> 0x0 
RDX: 0x16a279a --> 0x3e61 ('a>')
RSI: 0x0 
RDI: 0x16a4780 --> 0x16a1f20 --> 0x0 
RBP: 0x0 
RSP: 0x7fffffff9860 --> 0x16a2795 --> 0x3e612f3c0a3e2f ('/>\n</a>')
RIP: 0x7ffff65b1b3a (movzx  r9d,BYTE PTR [rbp+0x0])
R8 : 0x101 
R9 : 0x0 
R10: 0x16a20f0 --> 0x16a24d0 --> 0x0 
R11: 0x6 
R12: 0x0 
R13: 0x101 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff65b1b33:	movzx  eax,BYTE PTR [rdx]
   0x7ffff65b1b36:	test   al,al
   0x7ffff65b1b38:	je     0x7ffff65b1b78
=> 0x7ffff65b1b3a:	movzx  r9d,BYTE PTR [rbp+0x0]
   0x7ffff65b1b3f:	cmp    al,r9b
   0x7ffff65b1b42:	jne    0x7ffff65b1ba0
   0x7ffff65b1b44:	mov    eax,DWORD PTR [r10+0x38]
   0x7ffff65b1b48:	mov    rcx,rbp
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9860 --> 0x16a2795 --> 0x3e612f3c0a3e2f ('/>\n</a>')
0008| 0x7fffffff9868 --> 0x16a4780 --> 0x16a1f20 --> 0x0 
0016| 0x7fffffff9870 --> 0x0 
0024| 0x7fffffff9878 --> 0x7ffff65bac5f (mov    r15,rax)
0032| 0x7fffffff9880 --> 0x1 
0040| 0x7fffffff9888 --> 0x7ffff65b47f9 (<xmlParseCharData+393>:	mov    r8,QWORD PTR [r14+0x38])
0048| 0x7fffffff9890 --> 0x7fffffff9910 --> 0x7fffffff9958 --> 0x1453bd0 --> 0x700000008 
0056| 0x7fffffff9898 --> 0xaad65f (<zend_parse_arg+87>:	mov    QWORD PTR [rbp-0x20],rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff65b1b3a in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
gdb-peda$ bt
#0  0x00007ffff65b1b3a in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#1  0x00007ffff65bac5f in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#2  0x00007ffff65c0723 in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#3  0x00007ffff65c213e in xmlParseChunk () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#4  0x000000000096188b in php_XML_Parse (parser=0x7ffff7fcd9e8, data=0x7ffff7e92058 "", data_len=0x0, is_final=0x0)
    at /home/s/php/php-src-PHP-5.6.26/ext/xml/compat.c:605
#5  0x000000000095f22c in zif_xml_parse (ht=0x2, return_value=0x7ffff7fcb640, return_value_ptr=0x7ffff7f95470, 
    this_ptr=0x0, return_value_used=0x0) at /home/s/php/php-src-PHP-5.6.26/ext/xml/xml.c:1459
#6  0x0000000000aefaef in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f95488)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:558
#7  0x0000000000af53d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f95488)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:2602
#8  0x0000000000aef15e in execute_ex (execute_data=0x7ffff7f95488)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363
#9  0x0000000000aef1e7 in zend_execute (op_array=0x16a2670)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388
#10 0x0000000000a94a4d in zend_call_function (fci=0x7fffffff9e40, fci_cache=0x7fffffff9d00)
....

Patches

bug73135.patch (last revision 2016-10-16 06:56 UTC by edgar dot r dot sandi at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-25 23:09 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-16 07:01 UTC] edgar dot r dot sandi at gmail dot com
The patch for this bug is in https://github.com/php/php-src/pull/2166
 [2016-10-17 13:35 UTC] cmb@php.net
-Package: XML Reader +Package: XML related
 [2017-01-08 17:21 UTC] krakjoe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2017-01-08 17:21 UTC] krakjoe@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 02 04:03:35 2021 UTC