Bug #52998 [Com]: memory content leak when using invalid utf-8 with XMLWriter::writeAttribute

Wed, 06 Oct 2010 12:42:51 -0700 

Edit report at http://bugs.php.net/bug.php?id=52998&edit=1

 ID:                 52998
 Comment by:         kees at outflux dot net
 Reported by:        kees at outflux dot net
 Summary:            memory content leak when using invalid utf-8 with
                     XMLWriter::writeAttribute
 Status:             Bogus
 Type:               Bug
 Package:            XML Writer
 Operating System:   Ubuntu 10.10
 PHP Version:        5.3.3
 Assigned To:        rrichards
 Block user comment: N

 New Comment:

Yeah, it wasn't clear if the API was being misused or not. But it does
seem like a libxml2 bug after I got a test case working there this
morning. For reference, it's here:

https://bugzilla.gnome.org/show_bug.cgi?id=631551


Previous Comments:
------------------------------------------------------------------------
[2010-10-06 21:38:06] rricha...@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

You just reported the same bug to libxml2 bug system. Will be handled
there

------------------------------------------------------------------------
[2010-10-06 21:25:48] paj...@php.net

Rob, does it ring a bell? It could be a bug in libxml?

------------------------------------------------------------------------
[2010-10-06 20:38:47] kees at outflux dot net

This was discovered in Ubuntu, btw:

https://bugs.launchpad.net/php/+bug/655442

------------------------------------------------------------------------
[2010-10-06 03:52:16] kees at outflux dot net

Description:
------------
It seems that PHP is not correctly using libxml2's xmlwriter routines,
and allows passing in invalid utf-8 strings which are then misparsed by
libxml2, allowing memory contents to leak into the resulting output.



Test script:
---------------
<?php

# Copyright 2010, Canonical, Ltd.

# Author: Kees Cook <k...@ubuntu.com>

# License: GPLv3

#

# Proof-of-concept memory content leak



$xw = new XMLWriter();

$xw->openURI('php://output');



$xw->startElement('input');

$xw->writeAttribute('value', "\xe0\x81");

$xw->endElement();



?>



Expected result:
----------------
<input value="&#xe0;&#e81"/>

Actual result:
--------------
PHP Warning: XMLWriter::writeAttribute(): string is not in UTF-8 in
/tmp/xmlwriter.php on line 12

<input value="&#x40;&#xB1;�ˋ[����ĹJ���R���Q"/>


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52998&edit=1

Reply via email to