GHSA-wg4p-4hqh-c3g9

Опубликовано: 13 мар. 2025

Источник: github

Github: Не прошло ревью

Описание

Possible out of bounds read when XML_OPTION_SKIP_TAGSTART used

This is a reocurrence of bug #72714 .

Impact

Out of bounds read can leak heap contents.

<?php $sample = "<?xml version=\"1.0\"?><test><child/></test>"; $parser = xml_parser_create(); xml_parser_set_option($parser, XML_OPTION_SKIP_TAGSTART, 100); $res = xml_parse_into_struct($parser,$sample,$vals,$index); var_dump($vals);

If we set XML_OPTION_SKIP_TAGSTART to a high value, we can read out of bounds. It doesn't even have to be a crazy high value, as long as an attacker can supply XML with shorter tag names than expected they can trigger an OOB read. I coincidentally came across this by reviewing xml.c, I noticed this is a reocurrence of https://bugs.php.net/bug.php?id=72714 This was originally fixed in https://github.com/php/php-src/commit/9164dc11e2323b8b80c389bb13d70789799b44fc, but it seems the fix was either incomplete or not merged properly. Granted, this option is rarely used.

Workarounds

Don't use XML_OPTION_SKIP_TAGSTART.

Пакеты

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.1.32

8.1.32

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.2.28

8.2.28

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.3.18

8.3.19

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.4.5

8.4.5