php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80324 yaml_parse_url assertion
Submitted: 2020-11-05 19:58 UTC Modified: 2020-12-20 18:17 UTC
From: kak dot serpom dot po dot yaitsam at gmail dot com Assigned: bd808 (profile)
Status: Closed Package: yaml (PECL)
PHP Version: 7.0.8 OS: Windows/64-bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kak dot serpom dot po dot yaitsam at gmail dot com
New email:
PHP Version: OS:

 

 [2020-11-05 19:58 UTC] kak dot serpom dot po dot yaitsam at gmail dot com
Description:
------------
It crashes only with xdebug enabled on PHP 7.3.24-3+ubuntu18.04.1+deb.sury.org+1 

If I replace anonymous functions with regular functions or methods (like [$this, 'callbackEnv']) then php_yaml_check_callbacks (https://github.com/php/pecl-file_formats-yaml/blob/2.1.0/yaml.c#L305) doesn't crash.

Test script:
---------------
$data = \yaml_parse_file(
    $file,
    0,
    $ndocs,
    [
        '!env'  => function ($str) {
        },
        '!path' => function ($str) {
        },
    ]
);

Expected result:
----------------
No segfault :)

Actual result:
--------------
Program terminated with signal SIGSEGV, Segmentation fault.
#0  php_yaml_check_callbacks (callbacks=<optimized out>, callbacks=<optimized out>) at /tmp/pear/temp/yaml/yaml.c:305
305	/tmp/pear/temp/yaml/yaml.c: No such file or directory.
(gdb) bt
#0  php_yaml_check_callbacks (callbacks=<optimized out>, callbacks=<optimized out>) at /tmp/pear/temp/yaml/yaml.c:305
#1  0x00007f9fa33dd0b4 in zif_yaml_parse_file (execute_data=<optimized out>, return_value=0x7f9fb5a1eac0) at /tmp/pear/temp/yaml/yaml.c:415
#2  0x00007f9fb5266485 in xdebug_execute_internal (current_execute_data=0x7f9fb5a1eb90, return_value=0x7f9fb5a1eac0) at ./build-7.3/src/base/base.c:466
#3  0x0000563d30ea40df in ?? ()
#4  0x0000563d310dceb6 in execute_ex ()
#5  0x00007f9fb5265afc in xdebug_execute_ex (execute_data=0x7f9fb5a1e840) at ./build-7.3/src/base/base.c:380
#6  0x0000563d30ea3d29 in ?? ()
#7  0x0000563d310dceb6 in execute_ex ()

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-05 21:19 UTC] girgias@php.net
-Summary: Segfault +Summary: Segfault in YAML with anonymous functions while using XDebug -Package: yami +Package: yaml
 [2020-12-15 13:40 UTC] cmb@php.net
It seems to me that sizeof(YAML_TIMESTAMP_TAG) is 29[1], so the
memcmp() would cause an OOB read.  Using strcmp() instead should
solve the issue, but would not cater to embedded NUL bytes in the
key.  The proper solution would likely be

    if (zend_string_equals_literal(key, YAML_TIMESTAMP_TAG)) {

However, zend_string_equals_literal() is only available as of PHP
7.0.0.

[1] <https://github.com/yaml/libyaml/blob/acd6f6f014c25e46363e718381e0b35205df2d83/include/yaml.h#L677>
 [2020-12-15 13:40 UTC] cmb@php.net
-Summary: Segfault in YAML with anonymous functions while using XDebug +Summary: Segfault in YAML with anonymous functions
 [2020-12-15 13:40 UTC] cmb@php.net
Doesn't seem to be related to Xdebug.
 [2020-12-16 16:03 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #80324: Segfault in YAML with anonymous functions
On GitHub:  https://github.com/php/pecl-file_formats-yaml/pull/56
Patch:      https://github.com/php/pecl-file_formats-yaml/pull/56.patch
 [2020-12-20 18:07 UTC] bd808@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=pecl/file_formats/yaml.git;a=commit;h=d991df2ed5f26024ab7c880fa78313fc1b3703fe
Log: Fix #80324: Segfault in YAML with anonymous functions
 [2020-12-20 18:07 UTC] bd808@php.net
-Status: Open +Status: Closed
 [2020-12-20 18:17 UTC] bd808@php.net
-Summary: Segfault in YAML with anonymous functions +Summary: yaml_parse_url assertion -Operating System: Ubuntu +Operating System: Windows/64-bit -PHP Version: 7.3.24 +PHP Version: 7.0.8 -Assigned To: +Assigned To: bd808
 [2020-12-20 18:17 UTC] bd808@php.net
Fixed in 2.2.1 release. Thank you for the bug report kak, and thank you for the fix cmb!
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jan 16 03:01:24 2021 UTC