php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74950 null pointer deref in zim_simplexml_element_getDocNamespaces (simplexml.c:1621)
Submitted: 2017-07-19 07:55 UTC Modified: -
From: geeknik at protonmail dot ch Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.7 OS: Fedora 26 x64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geeknik at protonmail dot ch
New email:
PHP Version: OS:

 

 [2017-07-19 07:55 UTC] geeknik at protonmail dot ch
Description:
------------
null deref and segfault found with afl.

Test script:
---------------
$xml=new SimpleXMLElement(0,9000000000);var_dump($xml->getDocNamespaces())?>

Actual result:
--------------
ext/simplexml/php_simplexml_exports.h:45:43: runtime error: member access within null pointer of type 'php_sxe_object'
SUMMARY: AddressSanitizer: undefined-behavior ext/simplexml/php_simplexml_exports.h:45:43 in

Warning: SimpleXMLElement::__construct(): Invalid options in Command line code on line 1
/root/php-7.1.7/ext/simplexml/simplexml.c:1621:57: runtime error: member access within null pointer of type 'php_libxml_ref_obj' (aka 'struct _php_libxml_ref_obj')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57 in
/root/php-7.1.7/ext/simplexml/simplexml.c:1621:57: runtime error: load of null pointer of type 'void *'
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57 in
ASAN:DEADLYSIGNAL
=================================================================
==12757==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001480ae7 bp 0x7ffe22d3c690 sp 0x7ffe22d3c5a0 T0)
==12757==The signal is caused by a READ memory access.
==12757==Hint: address points to the zero page.
    #0 0x1480ae6 in zim_simplexml_element_getDocNamespaces /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57
    #1 0x237e126 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /root/php-7.1.7/Zend/zend_vm_execute.h:1097:4
    #2 0x21a9e8a in execute_ex /root/php-7.1.7/Zend/zend_vm_execute.h:432:7
    #3 0x21ab3f7 in zend_execute /root/php-7.1.7/Zend/zend_vm_execute.h:474:2
    #4 0x1d6dc24 in zend_eval_stringl /root/php-7.1.7/Zend/zend_execute_API.c:1120:4
    #5 0x1d6ea20 in zend_eval_stringl_ex /root/php-7.1.7/Zend/zend_execute_API.c:1161:11
    #6 0x1d6ea20 in zend_eval_string_ex /root/php-7.1.7/Zend/zend_execute_API.c:1172
    #7 0x2982f44 in do_cli /root/php-7.1.7/sapi/cli/php_cli.c:1024:8
    #8 0x2980752 in main /root/php-7.1.7/sapi/cli/php_cli.c:1381:18
    #9 0x7f740e05f4d9 in __libc_start_main /usr/src/debug/glibc-2.25-24-g49f97e6/csu/../csu/libc-start.c:295
    #10 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-7.1.7/ext/simplexml/simplexml.c:1621:57 in zim_simplexml_element_getDocNamespaces
==12757==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-21 10:18 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3a7b0027f32881710ff64278a4f98b7e052578d2
Log: Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces)
 [2017-07-21 10:18 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 22:01:27 2024 UTC