[PHP-BUG] Bug #52998 [NEW]: memory content leak when using invalid utf-8 with XMLWriter::writeAttribute

kees at outflux dot net Tue, 05 Oct 2010 18:52:26 -0700

From:             
Operating system: Ubuntu 10.10
PHP version:      5.3.3
Package:          XML Writer
Bug Type:         Bug
Bug description:memory content leak when using invalid utf-8 with 
XMLWriter::writeAttribute


Description:
------------
It seems that PHP is not correctly using libxml2's xmlwriter routines, and
allows passing in invalid utf-8 strings which are then misparsed by
libxml2, allowing memory contents to leak into the resulting output.



Test script:
---------------
<?php

# Copyright 2010, Canonical, Ltd.

# Author: Kees Cook <k...@ubuntu.com>

# License: GPLv3

#

# Proof-of-concept memory content leak



$xw = new XMLWriter();

$xw->openURI('php://output');



$xw->startElement('input');

$xw->writeAttribute('value', "\xe0\x81");

$xw->endElement();



?>



Expected result:
----------------
<input value="&#xe0;&#e81"/>

Actual result:
--------------
PHP Warning: XMLWriter::writeAttribute(): string is not in UTF-8 in
/tmp/xmlwriter.php on line 12

<input value="&#x40;&#xB1;ï¿½Ë[ï¿½ï¿½ï¿½ï¿½Ä¹Jï¿½ï¿½ï¿½Rï¿½ï¿½ï¿½Q"/>

-- 
Edit bug report at http://bugs.php.net/bug.php?id=52998&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=52998&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=52998&r=trysnapshot53
Try a snapshot (trunk):              
http://bugs.php.net/fix.php?id=52998&r=trysnapshottrunk
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=52998&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=52998&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=52998&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=52998&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=52998&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=52998&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=52998&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=52998&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=52998&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=52998&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=52998&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=52998&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=52998&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=52998&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=52998&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=52998&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=52998&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=52998&r=mysqlcfg

[PHP-BUG] Bug #52998 [NEW]: memory content leak when using invalid utf-8 with XMLWriter::writeAttribute

Reply via email to