php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73135 malform xml cause php segfault
Submitted: 2016-09-21 02:30 UTC Modified: 2017-01-08 17:21 UTC
From: ahihibughunter at gmail dot com Assigned: krakjoe (profile)
Status: Closed Package: XML related
PHP Version: 7.0.11 OS: ALL
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-21 02:30 UTC] ahihibughunter at gmail dot com
Description:
------------
when PHP (all version ) trying to parse an xml , it crash inside libxml.

Test script:
---------------
<?php
function start_elem($parser) {
        xml_parse($parser, $xml);
}

$xml = <<<HERE
<a xmlns="ahihi">
  <bar foo="ahihi"/>
</a>
HERE;

$parser = xml_parser_create_ns();
xml_set_element_handler($parser,'start_elem','ahihi');
xml_parse($parser, $xml);


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb php-src-PHP-5.6.26/sapi/cli/php 
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
gdb-peda$ r crash.php 
Starting program: /home/s/php/php-src-PHP-5.6.26/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x61 ('a')
RBX: 0x16a4780 --> 0x16a1f20 --> 0x0 
RCX: 0x16a20f0 --> 0x16a24d0 --> 0x0 
RDX: 0x16a279a --> 0x3e61 ('a>')
RSI: 0x0 
RDI: 0x16a4780 --> 0x16a1f20 --> 0x0 
RBP: 0x0 
RSP: 0x7fffffff9860 --> 0x16a2795 --> 0x3e612f3c0a3e2f ('/>\n</a>')
RIP: 0x7ffff65b1b3a (movzx  r9d,BYTE PTR [rbp+0x0])
R8 : 0x101 
R9 : 0x0 
R10: 0x16a20f0 --> 0x16a24d0 --> 0x0 
R11: 0x6 
R12: 0x0 
R13: 0x101 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff65b1b33:	movzx  eax,BYTE PTR [rdx]
   0x7ffff65b1b36:	test   al,al
   0x7ffff65b1b38:	je     0x7ffff65b1b78
=> 0x7ffff65b1b3a:	movzx  r9d,BYTE PTR [rbp+0x0]
   0x7ffff65b1b3f:	cmp    al,r9b
   0x7ffff65b1b42:	jne    0x7ffff65b1ba0
   0x7ffff65b1b44:	mov    eax,DWORD PTR [r10+0x38]
   0x7ffff65b1b48:	mov    rcx,rbp
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9860 --> 0x16a2795 --> 0x3e612f3c0a3e2f ('/>\n</a>')
0008| 0x7fffffff9868 --> 0x16a4780 --> 0x16a1f20 --> 0x0 
0016| 0x7fffffff9870 --> 0x0 
0024| 0x7fffffff9878 --> 0x7ffff65bac5f (mov    r15,rax)
0032| 0x7fffffff9880 --> 0x1 
0040| 0x7fffffff9888 --> 0x7ffff65b47f9 (<xmlParseCharData+393>:	mov    r8,QWORD PTR [r14+0x38])
0048| 0x7fffffff9890 --> 0x7fffffff9910 --> 0x7fffffff9958 --> 0x1453bd0 --> 0x700000008 
0056| 0x7fffffff9898 --> 0xaad65f (<zend_parse_arg+87>:	mov    QWORD PTR [rbp-0x20],rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff65b1b3a in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
gdb-peda$ bt
#0  0x00007ffff65b1b3a in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#1  0x00007ffff65bac5f in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#2  0x00007ffff65c0723 in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#3  0x00007ffff65c213e in xmlParseChunk () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#4  0x000000000096188b in php_XML_Parse (parser=0x7ffff7fcd9e8, data=0x7ffff7e92058 "", data_len=0x0, is_final=0x0)
    at /home/s/php/php-src-PHP-5.6.26/ext/xml/compat.c:605
#5  0x000000000095f22c in zif_xml_parse (ht=0x2, return_value=0x7ffff7fcb640, return_value_ptr=0x7ffff7f95470, 
    this_ptr=0x0, return_value_used=0x0) at /home/s/php/php-src-PHP-5.6.26/ext/xml/xml.c:1459
#6  0x0000000000aefaef in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f95488)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:558
#7  0x0000000000af53d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f95488)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:2602
#8  0x0000000000aef15e in execute_ex (execute_data=0x7ffff7f95488)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363
#9  0x0000000000aef1e7 in zend_execute (op_array=0x16a2670)
    at /home/s/php/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388
#10 0x0000000000a94a4d in zend_call_function (fci=0x7fffffff9e40, fci_cache=0x7fffffff9d00)
....

Patches

bug73135.patch (last revision 2016-10-16 06:56 UTC by edgar dot r dot sandi at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-25 23:09 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-16 07:01 UTC] edgar dot r dot sandi at gmail dot com
The patch for this bug is in https://github.com/php/php-src/pull/2166
 [2016-10-17 13:35 UTC] cmb@php.net
-Package: XML Reader +Package: XML related
 [2017-01-08 17:21 UTC] krakjoe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2017-01-08 17:21 UTC] krakjoe@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 11 07:01:27 2024 UTC