Skip to content

Segfault when adding attribute to parent that is not an element #16533

New issue
New issue
Closed
Closed
Segfault when adding attribute to parent that is not an element#16533
Labels
BugExtension: domStatus: Verified
@chibinz

Description

@chibinz
chibinz
opened on Oct 21, 2024

Description

The following code:

<?php

$v0 = new DOMDocument ( );
$v2 = new DOMAttr ( "Eo" , "jP" );
$v8 = new DOMAttr ( "DO" , "f" );
try { $v0 -> insertBefore ( $v8 , null ); } catch (\Throwable) { }
$v0 -> insertBefore ( $v2 , $v8 );
$v0 -> validate (  );

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==919==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f44a86b7114 bp 0x60f0000004f0 sp 0x7fffa7814090 T0)
==919==The signal is caused by a READ memory access.
==919==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x7f44a86b7114 in xmlHashScan (/lib/x86_64-linux-gnu/libxml2.so.2+0x75114) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
    #1 0x7f44a86ccad4 in xmlValidateDtdFinal (/lib/x86_64-linux-gnu/libxml2.so.2+0x8aad4) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
    #2 0x7f44a86d3811 in xmlValidateDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x91811) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
    #3 0x564b2872527f in zim_DOMDocument_validate /tmp/php-asan/ext/dom/document.c:1849:6
    #4 0x564b2969e3a2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:1919:4
    #5 0x564b295b090d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #6 0x564b295b1137 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #7 0x564b299e5620 in zend_execute_script /tmp/php-asan/Zend/zend.c:1928:3
    #8 0x564b29203ebb in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #9 0x564b292043b8 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #10 0x564b299ed0c9 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #11 0x564b299ea0ec in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #12 0x7f44a8229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f44a8229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x564b28402de4 in _start (/workspaces/TriFuzz/targets/php-asan/bin/php+0x402de4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libxml2.so.2+0x75114) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61) in xmlHashScan
==919==ABORTING

PHP Version

PHP 8.5.0-dev

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugExtension: domStatus: Verified

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions