PHP :: Bug #73533 :: Invalid memory access in php_libxml

Bug #73533	Invalid memory access in php_libxml_xmlCheckUTF8
Submitted:	2016-11-16 03:08 UTC	Modified:	2021-03-23 15:15 UTC
From:	ahihibughunter at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	XML related
PHP Version:	7.0.13	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ahihibughunter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-16 03:08 UTC] ahihibughunter at gmail dot com

Description:
------------
in function php_libxml_xmlCheckUTF8
int php_libxml_xmlCheckUTF8(const unsigned char *s)
{
	int i;
	unsigned char c;

	for (i = 0; (c = s[i++]);) {
		if ((c & 0x80) == 0) {
,,,,
}
when input string (s) may have very big size leach to i become negative value and 
cause php7 crash.

Test script:
---------------
<?php
ini_set('memory_limit', -1);
class TestSoapClient extends SoapClient {}
$client = new TestSoapClient(dirname(__FILE__).'/ahihi.wsdl');
$strA = 'ahihi';
$strB  = str_repeat('a',0x80001000);
$res = $client->Test(array('strA'=>$strA, 'strB'=>$strB));
?>

U can using any valid wsdl file to reproduce this bug.

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../../php7new/php-src-PHP-7.0.13/sapi/cli/php
....
(gdb) r test.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000049117c in php_libxml_xmlCheckUTF8 (s=0x7ffeec000000 'a' <repeats 200 times>...) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/libxml/libxml.c:1143
1143		for (i = 0; (c = s[i++]);) {
(gdb) bt
#0  0x000000000049117c in php_libxml_xmlCheckUTF8 (s=0x7ffeec000000 'a' <repeats 200 times>...) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/libxml/libxml.c:1143
#1  0x000000000081ddb3 in to_xml_string (type=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:864
#2  0x000000000081c2ed in master_to_xml_int (encode=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0, check_class_map=1)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:501
#3  0x000000000081c36a in master_to_xml (encode=0x13e4d90 <defaultEncoding+112>, data=0x7fffed65f6c0, style=2, parent=0x15f1cd0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:512
#4  0x000000000082249b in to_xml_object (type=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:1927
#5  0x000000000082728c in sdl_guess_convert_xml (enc=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:3285
#6  0x000000000081c2ed in master_to_xml_int (encode=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30, check_class_map=1) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:501
#7  0x000000000081c36a in master_to_xml (encode=0x7fffed6588a0, data=0x7fffed663300, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/php_encoding.c:512
#8  0x0000000000818bb7 in serialize_zval (val=0x7fffed663300, param=0x7fffed67a280, paramName=0x7fffed6632a0 "parameters", style=2, parent=0x15f1c30)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4467
#9  0x0000000000818a1a in serialize_parameter (param=0x7fffed67a280, param_val=0x7fffed663300, index=0, name=0x0, style=2, parent=0x15f1c30) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4439
#10 0x0000000000818239 in serialize_function_call (this_ptr=0x7fffed6131d0, function=0x7fffed658c00, function_name=0x0, uri=0x0, arguments=0x7fffed663300, arg_count=1, version=1, soap_headers=0x0)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:4302
#11 0x0000000000811bfe in do_soap_call (execute_data=0x7fffed6131b0, this_ptr=0x7fffed6131d0, function=0x7fffed67a2d8 "Test", function_len=4, arg_count=1, real_args=0x7fffed663300, return_value=0x7fffed613190, 
    location=0x7fffed658ba0 "http://localhost:8080/~dmitry/bug38004/server.php", soap_action=0x0, call_uri=0x0, soap_headers=0x0, output_headers=0x0)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:2734
#12 0x0000000000812e55 in zim_SoapClient___call (execute_data=0x7fffed6131b0, return_value=0x7fffed613190) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/soap/soap.c:2954
#13 0x0000000000a6b519 in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:1788
#14 0x0000000000a67085 in execute_ex (ex=0x7fffed613030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#15 0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#16 0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#17 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#18 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#19 0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb) print i
$1 = -2147483647
(gdb)

Patches

Pull Requests

Pull requests:

Fix #73533: Invalid memory access in php_libxml_xmlCheckUTF8 (php-src/6802)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-18 14:37 UTC] krakjoe@php.net

-Type: Security +Type: Bug

[2016-11-18 14:37 UTC] krakjoe@php.net

This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security

[2021-03-23 15:14 UTC] cmb@php.net

-Status: Open +Status: Verified -Package: SOAP related +Package: XML related -Assigned To: +Assigned To: cmb

[2021-03-23 15:19 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #73533: Invalid memory access in php_libxml_xmlCheckUTF8
On GitHub:  https://github.com/php/php-src/pull/6802
Patch:      https://github.com/php/php-src/pull/6802.patch

[2021-03-24 10:55 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=498eb8e0529fbe1dd8a91ae3ee8592eda868d3aa
Log: Fix #73533: Invalid memory access in php_libxml_xmlCheckUTF8

[2021-03-24 10:55 UTC] cmb@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC