php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74950 null pointer deref in zim_simplexml_element_getDocNamespaces (simplexml.c:1621)
Submitted: 2017-07-19 07:55 UTC Modified: -
From: geeknik at protonmail dot ch Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.7 OS: Fedora 26 x64
Private report: No CVE-ID:
 [2017-07-19 07:55 UTC] geeknik at protonmail dot ch
Description:
------------
null deref and segfault found with afl.

Test script:
---------------
$xml=new SimpleXMLElement(0,9000000000);var_dump($xml->getDocNamespaces())?>

Actual result:
--------------
ext/simplexml/php_simplexml_exports.h:45:43: runtime error: member access within null pointer of type 'php_sxe_object'
SUMMARY: AddressSanitizer: undefined-behavior ext/simplexml/php_simplexml_exports.h:45:43 in

Warning: SimpleXMLElement::__construct(): Invalid options in Command line code on line 1
/root/php-7.1.7/ext/simplexml/simplexml.c:1621:57: runtime error: member access within null pointer of type 'php_libxml_ref_obj' (aka 'struct _php_libxml_ref_obj')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57 in
/root/php-7.1.7/ext/simplexml/simplexml.c:1621:57: runtime error: load of null pointer of type 'void *'
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57 in
ASAN:DEADLYSIGNAL
=================================================================
==12757==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001480ae7 bp 0x7ffe22d3c690 sp 0x7ffe22d3c5a0 T0)
==12757==The signal is caused by a READ memory access.
==12757==Hint: address points to the zero page.
    #0 0x1480ae6 in zim_simplexml_element_getDocNamespaces /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57
    #1 0x237e126 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /root/php-7.1.7/Zend/zend_vm_execute.h:1097:4
    #2 0x21a9e8a in execute_ex /root/php-7.1.7/Zend/zend_vm_execute.h:432:7
    #3 0x21ab3f7 in zend_execute /root/php-7.1.7/Zend/zend_vm_execute.h:474:2
    #4 0x1d6dc24 in zend_eval_stringl /root/php-7.1.7/Zend/zend_execute_API.c:1120:4
    #5 0x1d6ea20 in zend_eval_stringl_ex /root/php-7.1.7/Zend/zend_execute_API.c:1161:11
    #6 0x1d6ea20 in zend_eval_string_ex /root/php-7.1.7/Zend/zend_execute_API.c:1172
    #7 0x2982f44 in do_cli /root/php-7.1.7/sapi/cli/php_cli.c:1024:8
    #8 0x2980752 in main /root/php-7.1.7/sapi/cli/php_cli.c:1381:18
    #9 0x7f740e05f4d9 in __libc_start_main /usr/src/debug/glibc-2.25-24-g49f97e6/csu/../csu/libc-start.c:295
    #10 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57 in zim_simplexml_element_getDocNamespaces
==12757==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-21 10:18 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3a7b0027f32881710ff64278a4f98b7e052578d2
Log: Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces)
 [2017-07-21 10:18 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC