Possible out of bounds read when XML_OPTION_SKIP_TAGSTART used

Kurzinfo

Veroeffentlicht: 2025-03-13 17:44 UTC Importiert: 2026-05-14 18:44 UTC Quelle-ID: php_sec uid_hash: b847d5648257ea3856d071c0491b8bd7dcf9614c0d6fe508f3f0a56d3f2b4afa

PHP Security (php/php-src GHSA)

Inhalt

This is a reocurrence of bug #72714 .

Impact

Out of bounds read can leak heap contents.

$parser = xml_parser_create();
xml_parser_set_option($parser, XML_OPTION_SKIP_TAGSTART, 100);
$res = xml_parse_into_struct($parser,$sample,$vals,$index);
var_dump($vals);

If we set XML_OPTION_SKIP_TAGSTART to a high value, we can read out of bounds. It doesn't even have to be a crazy high value, as long as an attacker can supply XML with shorter tag names than expected they can trigger an OOB read. I coincidentally came across this by reviewing xml.c, I noticed this is a reocurrence of https://bugs.php.net/bug.php?id=72714 This was originally fixed in https://github.com/php/php-src/commit/9164dc11e2323b8b80c389bb13d70789799b44fc, but it seems the fix was either incomplete or not merged properly. Granted, this option is rarely used.

Workarounds

Don't use XML_OPTION_SKIP_TAGSTART.

No data

Quellen-Details

Bezeichnung	Name	Kategorie	Tags	Zielgruppe	Sprache	Feed-URL
PHP Security (php/php-src GHSA)	php_sec	vendor_advisory	php, runtime	-	de	https://github.com/php/php-src/security/advisories

Zurueck zur Eintrags-Liste