Edit report at http://bugs.php.net/bug.php?id=52998&edit=1
ID: 52998 Updated by: paj...@php.net Reported by: kees at outflux dot net Summary: memory content leak when using invalid utf-8 with XMLWriter::writeAttribute -Status: Open +Status: Assigned Type: Bug Package: XML Writer Operating System: Ubuntu 10.10 PHP Version: 5.3.3 -Assigned To: +Assigned To: rrichards Block user comment: N New Comment: Rob, does it ring a bell? It could be a bug in libxml? Previous Comments: ------------------------------------------------------------------------ [2010-10-06 20:38:47] kees at outflux dot net This was discovered in Ubuntu, btw: https://bugs.launchpad.net/php/+bug/655442 ------------------------------------------------------------------------ [2010-10-06 03:52:16] kees at outflux dot net Description: ------------ It seems that PHP is not correctly using libxml2's xmlwriter routines, and allows passing in invalid utf-8 strings which are then misparsed by libxml2, allowing memory contents to leak into the resulting output. Test script: --------------- <?php # Copyright 2010, Canonical, Ltd. # Author: Kees Cook <k...@ubuntu.com> # License: GPLv3 # # Proof-of-concept memory content leak $xw = new XMLWriter(); $xw->openURI('php://output'); $xw->startElement('input'); $xw->writeAttribute('value', "\xe0\x81"); $xw->endElement(); ?> Expected result: ---------------- <input value="à&#e81"/> Actual result: -------------- PHP Warning: XMLWriter::writeAttribute(): string is not in UTF-8 in /tmp/xmlwriter.php on line 12 <input value="@±ï¿½Ë[����ĹJ���R���Q"/> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=52998&edit=1