archived-php-src

php/archived-php-src

Fork 0

mirror of https://github.com/php/php-src.git synced 2026-04-16 20:41:18 +02:00

Commit Graph

Author	SHA1	Message	Date
Christoph M. Becker	52793c14d9	Improvements to fix #72714 , suggested by nikic	2016-08-20 12:44:20 +02:00
Christoph M. Becker	9164dc11e2	Fix #72714 : _xml_startElementHandler() segmentation fault The issue is caused by an integer overflow when the `long` passed as XML_OPTION_SKIP_TAGSTART is assigned to `xml_parser::toffset` which is declared as `int`. We can simply work around this issue, by clipping resulting negative values to 0 (and raising a notice in this case), because the reasonable range for this value is certainly catered to by positive `int`s. However, there still remains the issue that `xml_parser::toffset` is later added to `char *`s, which can cause OOB reads, so we make sure that the upper bound never exceeds the strlen(). We eschew optimizing `SKIP_TAGSTART` wrt. to the potentially duplicate strlen() call, because that code path is unexpected anyway.	2016-08-20 01:58:08 +02:00

Author

SHA1

Message

Date

Christoph M. Becker

52793c14d9

Improvements to fix #72714 , suggested by nikic

2016-08-20 12:44:20 +02:00

Christoph M. Becker

9164dc11e2

Fix #72714 : _xml_startElementHandler() segmentation fault

The issue is caused by an integer overflow when the `long` passed as
XML_OPTION_SKIP_TAGSTART is assigned to `xml_parser::toffset` which is
declared as `int`. We can simply work around this issue, by clipping
resulting negative values to 0 (and raising a notice in this case), because
the reasonable range for this value is certainly catered to by positive
`int`s.

However, there still remains the issue that `xml_parser::toffset` is later
added to `char *`s, which can cause OOB reads, so we make sure that the
upper bound never exceeds the strlen(). We eschew optimizing `SKIP_TAGSTART`
wrt. to the potentially duplicate strlen() call, because that code path is
unexpected anyway.

2016-08-20 01:58:08 +02:00

2 Commits