Fix #72714: _xml_startElementHandler() segmentation fault

The issue is caused by an integer overflow when the `long` passed as XML_OPTION_SKIP_TAGSTART is assigned to `xml_parser::toffset` which is declared as `int`. We can simply work around this issue, by clipping resulting negative values to 0 (and raising a notice in this case), because the reasonable range for this value is certainly catered to by positive `int`s. However, there still remains the issue that `xml_parser::toffset` is later added to `char *`s, which can cause OOB reads, so we make sure that the upper bound never exceeds the strlen(). We eschew optimizing `SKIP_TAGSTART` wrt. to the potentially duplicate strlen() call, because that code path is unexpected anyway.
author: Christoph M. Becker <cmbecker69@gmx.de> 2016-08-16 20:36:33 +0200
committer: Christoph M. Becker <cmbecker69@gmx.de> 2016-08-20 01:58:08 +0200
commit: 9164dc11e2323b8b80c389bb13d70789799b44fc (patch)
tree: 17978217b1294e39baa12c43375458b811670c2e /NEWS
parent: f682193609a1f511b7cb405a02746d44032bf8de (diff)
download: php-git-9164dc11e2323b8b80c389bb13d70789799b44fc.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index d74cc191a2..013d85f84b 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,7 @@ PHP                                                                        NEWS
 
 - XML:
   . Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb)
+  . Fixed bug #72714 (_xml_startElementHandler() segmentation fault). (cmb)
 
 - ZIP:
   . Fixed bug #68302 (impossible to compile php with zip support). (cmb)
author	Christoph M. Becker <cmbecker69@gmx.de>	2016-08-16 20:36:33 +0200
committer	Christoph M. Becker <cmbecker69@gmx.de>	2016-08-20 01:58:08 +0200
commit	9164dc11e2323b8b80c389bb13d70789799b44fc (patch)
tree	17978217b1294e39baa12c43375458b811670c2e /NEWS
parent	f682193609a1f511b7cb405a02746d44032bf8de (diff)
download	php-git-9164dc11e2323b8b80c389bb13d70789799b44fc.tar.gz