Description:
------------
Run test script with PHP/ASAN. I'm marking it as security since parsing xml coming from user is a common task, so apologies in advance if it's not security relevant.
(gdb) b xml.c:992
Breakpoint 1 at 0x83a3ae5: file /home/fmunozs/phpgit/php56dbg/ext/xml/xml.c, line 992.
(gdb) r
Breakpoint 1, _xml_characterDataHandler (userData=0xb5f5bba4, s=0x8d185e5 "aaaaaaaaaa", len=10)
at /home/fmunozs/phpgit/php56dbg/ext/xml/xml.c:992
992 _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
(gdb) print parser
$1 = (xml_parser *) 0xb5f5bba4
(gdb) print parser->ltags
$2 = (char **) 0xb5f5c894
(gdb) print parser->ltags[parser->level-1]
$3 = 0x5c7efff0 <error: Cannot access memory at address 0x5c7efff0>
(gdb) print parser->ltags[parser->level]
$4 = 0x0
(gdb) print parser->ltags
$5 = (char **) 0xb5f5c894
(gdb) print parser->level
$8 = 0
(gdb) print parser->ltags[parser->level-1] + parser->toffset
$9 = 0x5c7efff0 <error: Cannot access memory at address 0x5c7efff0>
parser->level is 0 and line 992 is trying to access -1 element.
Test script:
---------------
<?php
$var1=xml_parser_create_ns();
$var2="<xss>";
xml_parse($var1, $var2);
$var2=str_repeat("a", 10);
$var3=[];
$var4=[];
xml_parse_into_struct($var1, $var2, $var3, $var4);
var_dump($var3);
Expected result:
----------------
No crash
Actual result:
--------------
=================================================================
==4221==ERROR: AddressSanitizer: SEGV on unknown address 0x0000001d (pc 0xb6dc6256 bp 0xbfba8e18 sp 0xbfba89a4 T0)
#0 0xb6dc6255 (/lib/i386-linux-gnu/libc.so.6+0x7c255)
#1 0xb71e7655 in __interceptor_strlen (/usr/lib/i386-linux-gnu/libasan.so.2+0x6a655)
#2 0x90e321f in _xml_add_to_info /home/fmunozs/phpgit/php56/ext/xml/xml.c:740
#3 0x90ef305 in _xml_characterDataHandler /home/fmunozs/phpgit/php56/ext/xml/xml.c:992
#4 0x90ff63b in _cdata_handler /home/fmunozs/phpgit/php56/ext/xml/compat.c:274
#5 0xb6f33ec4 in xmlParseCharData (/usr/lib/i386-linux-gnu/libxml2.so.2+0x34ec4)
#6 0xb6f4461c (/usr/lib/i386-linux-gnu/libxml2.so.2+0x4561c)
#7 0xb6f44f62 in xmlParseChunk (/usr/lib/i386-linux-gnu/libxml2.so.2+0x45f62)
#8 0x9103efb in php_XML_Parse /home/fmunozs/phpgit/php56/ext/xml/compat.c:605
#9 0x90e0e8e in zif_xml_parse_into_struct /home/fmunozs/phpgit/php56/ext/xml/xml.c:1499
#10 0x9a7dbe8 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558
#11 0x96417e6 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363
#12 0x9a6de98 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388
#13 0x9472029 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341
#14 0x91ae13b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613
#15 0x9a8795a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994
#16 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
#17 0xb6d62645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
#18 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==4221==ABORTING