php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73533 Invalid memory access in php_libxml_xmlCheckUTF8
Submitted: 2016-11-16 03:08 UTC Modified: 2021-03-23 15:15 UTC
From: ahihibughunter at gmail dot com Assigned: cmb (profile)
Status: Closed Package: XML related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-16 03:08 UTC] ahihibughunter at gmail dot com
Description:
------------
in function php_libxml_xmlCheckUTF8
int php_libxml_xmlCheckUTF8(const unsigned char *s)
{
	int i;
	unsigned char c;

	for (i = 0; (c = s[i++]);) {
		if ((c & 0x80) == 0) {
,,,,
}
when input string (s) may have very big size leach to i become negative value and 
cause php7 crash.

Test script:
---------------
<?php
ini_set('memory_limit', -1);
class TestSoapClient extends SoapClient {}
$client = new TestSoapClient(dirname(__FILE__).'/ahihi.wsdl');
$strA = 'ahihi';
$strB  = str_repeat('a',0x80001000);
$res = $client->Test(array('strA'=>$strA, 'strB'=>$strB));
?>

U can using any valid wsdl file to reproduce this bug.

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../../php7new/php-src-PHP-7.0.13/sapi/cli/php
....
(gdb) r test.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000049117c in php_libxml_xmlCheckUTF8 (s=0x7ffeec000000 'a' <repeats 200 times>...) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/libxml/libxml.c:1143
1143		for (i = 0; (c = s[i++]);) {
(gdb) bt
#0  0x000000000049117c in php_libxml_xmlCheckUTF8 (s=0x7ffeec000000 'a' <repeats 200 times>...) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/libxml/libxml.c:1143
#1  0x000000000081ddb3 in to_xml_string (type=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:864
#2  0x000000000081c2ed in master_to_xml_int (encode=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0, check_class_map=1)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:501
#3  0x000000000081c36a in master_to_xml (encode=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:512
#4  0x000000000082249b in to_xml_object (type=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:1927
#5  0x000000000082728c in sdl_guess_convert_xml (enc=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:3285
#6  0x000000000081c2ed in master_to_xml_int (encode=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30, check_class_map=1) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:501
#7  0x000000000081c36a in master_to_xml (encode=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:512
#8  0x0000000000818bb7 in serialize_zval (val=0x7fffed663300, param=0x7fffed67a280, paramName=0x7fffed6632a0 "parameters", style=2, parent=0x15f1c30)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4467
#9  0x0000000000818a1a in serialize_parameter (param=0x7fffed67a280, param_val=0x7fffed663300, index=0, name=0x0, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4439
#10 0x0000000000818239 in serialize_function_call (this_ptr=0x7fffed6131d0, function=0x7fffed658c00, function_name=0x0, uri=0x0, arguments=0x7fffed663300, arg_count=1, version=1, soap_headers=0x0)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4302
#11 0x0000000000811bfe in do_soap_call (execute_data=0x7fffed6131b0, this_ptr=0x7fffed6131d0, function=0x7fffed67a2d8 "Test", function_len=4, arg_count=1, real_args=0x7fffed663300, return_value=0x7fffed613190, 
    location=0x7fffed658ba0 "http://localhost:8080/~dmitry/bug38004/server.php", soap_action=0x0, call_uri=0x0, soap_headers=0x0, output_headers=0x0)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:2734
#12 0x0000000000812e55 in zim_SoapClient___call (execute_data=0x7fffed6131b0, return_value=0x7fffed613190) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:2954
#13 0x0000000000a6b519 in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:1788
#14 0x0000000000a67085 in execute_ex (ex=0x7fffed613030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#15 0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#16 0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#17 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#18 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#19 0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb) print i
$1 = -2147483647
(gdb) 


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:37 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:37 UTC] krakjoe@php.net
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2021-03-23 15:14 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: SOAP related +Package: XML related -Assigned To: +Assigned To: cmb
 [2021-03-23 15:19 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #73533: Invalid memory access in php_libxml_xmlCheckUTF8
On GitHub:  https://github.com/php/php-src/pull/6802
Patch:      https://github.com/php/php-src/pull/6802.patch
 [2021-03-24 10:55 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=498eb8e0529fbe1dd8a91ae3ee8592eda868d3aa
Log: Fix #73533: Invalid memory access in php_libxml_xmlCheckUTF8
 [2021-03-24 10:55 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Sep 21 00:03:37 2021 UTC