php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73293 NULL pointer dereference in SimpleXMLElement::asXML()
Submitted: 2016-10-11 15:51 UTC Modified: 2017-02-13 01:09 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: SimpleXML related
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-11 15:51 UTC] nguyenluan dot vnn at gmail dot com 
Description:
------------
In SimpleXMLElement::asXML() function:

        if (node) {
		if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) {
			xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, ((xmlDocPtr) sxe->document->ptr)->encoding);  // (1) may return strval = NULL and strval_len != 0
			RETVAL_STRINGL((char *)strval, strval_len, 1);  // (2) crash here
			xmlFree(strval);
		} else {
			/* Should we be passing encoding information instead of NULL? */
			outbuf = xmlAllocOutputBuffer(NULL);

			if (outbuf == NULL) {
				RETURN_FALSE;
			}

			xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, ((xmlDocPtr) sxe->document->ptr)->encoding);  // (3) may have the same problem here
			xmlOutputBufferFlush(outbuf);
#ifdef LIBXML2_NEW_BUFFER
			RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf), 1);
#else
			RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use, 1);
#endif
			xmlOutputBufferClose(outbuf);
		}
	} else {
		RETVAL_FALSE;
	}


There is missing NULL check for strval and strval_len before return it as string. This causes a NULL pointer dereference.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    session_start();
    $data = '<a>'.str_repeat('b', 0x7ffffff8-20).'</a>';
    $str = <<<XML
$data
XML;

    $xml = new SimpleXMLElement($str);
    $str1 = $xml->asXML();

    var_dump(strlen($str));
?>

Expected result:
----------------
No crash

Actual result:
--------------
gdb-peda$ b simplexml.c:1415
Breakpoint 1 at 0x847161: file /home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c, line 1415.

gdb-peda$ r ../test/string/test.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Warning: SimpleXMLElement::__construct(): Memory allocation failed : growing input buffer in /home/user/Desktop/test/string/test.php on line 9

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0xac5cf0 (<execute_ex>:	push   rbp)
RCX: 0x7ffff3e2be00 (<__mmap+64>:	ja     0x7ffff3e2be58 <__mmap+152>)
RDX: 0x0 
RSI: 0x7ffff40eeb38 --> 0x16bbd80 --> 0x0 
RDI: 0xffffffff 
RBP: 0x7fffffffa790 --> 0x7fffffffa800 --> 0x7fffffffa820 --> 0x7fffffffa850 --> 0x7fffffffa880 --> 0x7fffffffa9c0 (--> ...)
RSP: 0x7fffffffa6d0 --> 0x7ffff7fbf640 --> 0x5a5a5a5a00000001 
RIP: 0x847161 (<zim_simplexml_element_asXML+938>:	mov    rax,QWORD PTR [rbp-0x90])
R8 : 0x16bbd90 --> 0x0 
R9 : 0x3fffff00 
R10: 0x1 
R11: 0x207 
R12: 0x441d00 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x847152 <zim_simplexml_element_asXML+923>:	lea    rsi,[rbp-0x90]
   0x847159 <zim_simplexml_element_asXML+930>:	mov    rdi,rax
   0x84715c <zim_simplexml_element_asXML+933>:	
    call   0x4407e0 <xmlDocDumpMemoryEnc@plt>
=> 0x847161 <zim_simplexml_element_asXML+938>:	mov    rax,QWORD PTR [rbp-0x90]
   0x847168 <zim_simplexml_element_asXML+945>:	mov    QWORD PTR [rbp-0x78],rax
   0x84716c <zim_simplexml_element_asXML+949>:	mov    eax,DWORD PTR [rbp-0xa0]
   0x847172 <zim_simplexml_element_asXML+955>:	mov    DWORD PTR [rbp-0x9c],eax
   0x847178 <zim_simplexml_element_asXML+961>:	mov    rax,QWORD PTR [rbp-0xb0]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa6d0 --> 0x7ffff7fbf640 --> 0x5a5a5a5a00000001 
0008| 0x7fffffffa6d8 --> 0x7ffff7f85250 --> 0x7ffff7fc0278 --> 0x0 
0016| 0x7fffffffa6e0 --> 0x7ffff7fc0278 --> 0x0 
0024| 0x7fffffffa6e8 --> 0x1 
0032| 0x7fffffffa6f0 --> 0x80000002 
0040| 0x7fffffffa6f8 --> 0x7fffffffa770 --> 0x0 
0048| 0x7fffffffa700 --> 0x0 
0056| 0x7fffffffa708 --> 0x16bc620 --> 0x7ffff7fbe4c8 (0x00000000016bc620)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, zim_simplexml_element_asXML (ht=0x0, 
    return_value=0x7ffff7fc0278, return_value_ptr=0x7ffff7f85250, 
    this_ptr=0x7ffff7fbf640, return_value_used=0x1)
    at /home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c:1415
1415				RETVAL_STRINGL((char *)strval, strval_len, 1);

gdb-peda$ p strval
$9 = (xmlChar *) 0x0

gdb-peda$ p strval_len
$10 = 0x80000002

gdb-peda$ c
Continuing.

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0xffff8001134a1f8e 
RBX: 0xac5cf0 (<execute_ex>:	push   rbp)
RCX: 0x100000004 
RDX: 0x80000002 
RSI: 0x0 
RDI: 0x7ffe6cb5e070 --> 0x0 
RBP: 0x7fffffffa6c0 --> 0x7fffffffa790 --> 0x7fffffffa800 --> 0x7fffffffa820 --> 0x7fffffffa850 --> 0x7fffffffa880 (--> ...)
RSP: 0x7fffffffa678 --> 0xa4306d (<_estrndup+181>:	mov    edx,DWORD PTR [rbp-0x1c])
RIP: 0x7ffff3dc9e10 (<__memcpy_sse2_unaligned+32>:	movdqu xmm8,XMMWORD PTR [rsi])
R8 : 0xffffffffffffffff 
R9 : 0x0 
R10: 0x22 ('"')
R11: 0x246 
R12: 0x441d00 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff3dc9e00 <__memcpy_sse2_unaligned+16>:	
    jb     0x7ffff3dc9f0d <__memcpy_sse2_unaligned+285>
   0x7ffff3dc9e06 <__memcpy_sse2_unaligned+22>:	cmp    rdx,0x10
   0x7ffff3dc9e0a <__memcpy_sse2_unaligned+26>:	
    jbe    0x7ffff3dc9f9b <__memcpy_sse2_unaligned+427>
=> 0x7ffff3dc9e10 <__memcpy_sse2_unaligned+32>:	movdqu xmm8,XMMWORD PTR [rsi]
   0x7ffff3dc9e15 <__memcpy_sse2_unaligned+37>:	cmp    rdx,0x20
   0x7ffff3dc9e19 <__memcpy_sse2_unaligned+41>:	movdqu XMMWORD PTR [rdi],xmm8
   0x7ffff3dc9e1e <__memcpy_sse2_unaligned+46>:	
    movdqu xmm8,XMMWORD PTR [rsi+rdx*1-0x10]
   0x7ffff3dc9e25 <__memcpy_sse2_unaligned+53>:	
    movdqu XMMWORD PTR [rdi+rdx*1-0x10],xmm8
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa678 --> 0xa4306d (<_estrndup+181>:	mov    edx,DWORD PTR [rbp-0x1c])
0008| 0x7fffffffa680 --> 0x16bc540 --> 0x0 
0016| 0x7fffffffa688 --> 0xca067500 
0024| 0x7fffffffa690 --> 0x0 
0032| 0x7fffffffa698 --> 0x1060190 ("/home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c")
0040| 0x7fffffffa6a0 --> 0x8000000200000587 
0048| 0x7fffffffa6a8 --> 0x0 
0056| 0x7fffffffa6b0 --> 0x7fffffffe1a0 --> 0x2 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:35
35	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.

gdb-peda$ bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:35
#1  0x0000000000a4306d in _estrndup (s=0x0, length=0x80000002, 
    __zend_filename=0x1060190 "/home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c", __zend_lineno=0x587, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/user/Desktop/php-5.6.26/Zend/zend_alloc.c:2664
#2  0x00000000008471ba in zim_simplexml_element_asXML (ht=0x0, 
    return_value=0x7ffff7fc0278, return_value_ptr=0x7ffff7f85250, 
    this_ptr=0x7ffff7fbf640, return_value_used=0x1)
    at /home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c:1415
#3  0x0000000000ac66e8 in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7ffff7f85428)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:558
#4  0x0000000000ac6ebb in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (
    execute_data=0x7ffff7f85428)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:693
#5  0x0000000000ac5d50 in execute_ex (execute_data=0x7ffff7f85428)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:363
#6  0x0000000000ac5dd7 in zend_execute (op_array=0x7ffff7fbd488)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:388
#7  0x0000000000a7e415 in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-5.6.26/Zend/zend.c:1341
#8  0x00000000009df6d4 in php_execute_script (primary_file=0x7fffffffcd70)
    at /home/user/Desktop/php-5.6.26/main/main.c:2613
#9  0x0000000000b3b4d3 in do_cli (argc=0x2, argv=0x1434560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:994
#10 0x0000000000b3c836 in main (argc=0x2, argv=0x1434560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#11 0x00007ffff3d4b830 in __libc_start_main (main=0xb3c019 <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#12 0x0000000000441d29 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-11 20:32 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-11 20:32 UTC] stas@php.net 
The fix is in security repo as 96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e and in https://gist.github.com/541cbd1cc6bbd20097bf31a1e5460cf3

please verify
 [2016-10-11 23:45 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 14:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4ef79370a82d6c92f4ea0cd462274ba24e007f56
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-12 23:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=850504ae7d1ab97299b6ad1776a580e714526328
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-12 23:35 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-14 01:02 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7e60851ae2a3ce47a317b93e080e4daa7120934
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4ef79370a82d6c92f4ea0cd462274ba24e007f56
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7e60851ae2a3ce47a317b93e080e4daa7120934
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-17 10:06 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7e60851ae2a3ce47a317b93e080e4daa7120934
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4ef79370a82d6c92f4ea0cd462274ba24e007f56
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e
Log: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
 [2017-02-13 01:09 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC