Skip to content

Segfault when adding attribute to parent that is not an element #16533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chibinz opened this issue Oct 21, 2024 · 0 comments
Closed

Segfault when adding attribute to parent that is not an element #16533

chibinz opened this issue Oct 21, 2024 · 0 comments
Labels
Bug Extension: dom Status: Verified

Comments

@chibinz
Copy link

chibinz commented Oct 21, 2024

Description

The following code:

<?php

$v0 = new DOMDocument ( );
$v2 = new DOMAttr ( "Eo" , "jP" );
$v8 = new DOMAttr ( "DO" , "f" );
try { $v0 -> insertBefore ( $v8 , null ); } catch (\Throwable) { }
$v0 -> insertBefore ( $v2 , $v8 );
$v0 -> validate (  );

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==919==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f44a86b7114 bp 0x60f0000004f0 sp 0x7fffa7814090 T0)
==919==The signal is caused by a READ memory access.
==919==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x7f44a86b7114 in xmlHashScan (/lib/x86_64-linux-gnu/libxml2.so.2+0x75114) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
    #1 0x7f44a86ccad4 in xmlValidateDtdFinal (/lib/x86_64-linux-gnu/libxml2.so.2+0x8aad4) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
    #2 0x7f44a86d3811 in xmlValidateDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x91811) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
    #3 0x564b2872527f in zim_DOMDocument_validate /tmp/php-asan/ext/dom/document.c:1849:6
    #4 0x564b2969e3a2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:1919:4
    #5 0x564b295b090d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
    #6 0x564b295b1137 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
    #7 0x564b299e5620 in zend_execute_script /tmp/php-asan/Zend/zend.c:1928:3
    #8 0x564b29203ebb in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
    #9 0x564b292043b8 in php_execute_script /tmp/php-asan/main/main.c:2614:9
    #10 0x564b299ed0c9 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
    #11 0x564b299ea0ec in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
    #12 0x7f44a8229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f44a8229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x564b28402de4 in _start (/workspaces/TriFuzz/targets/php-asan/bin/php+0x402de4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libxml2.so.2+0x75114) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61) in xmlHashScan
==919==ABORTING

PHP Version

PHP 8.5.0-dev

Operating System

No response
@cmb69 cmb69 mentioned this issue Oct 21, 2024
Closed
@nielsdos nielsdos changed the title Segfault in DOM -> validate Segfault when adding attribute to parent that is not an element Oct 21, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Oct 21, 2024
@nielsdos
Fix phpGH-16533: Segfault when adding attribute to parent that is not…
d54bad8 
… an element

Attributes are only valid as children of elements. This bug goes back
all the way.
@nielsdos nielsdos linked a pull request Oct 21, 2024 that will close this issue
Fix GH-16533: Segfault when adding attribute to parent that is not an element #16537
Closed
@nielsdos nielsdos mentioned this issue Oct 21, 2024
Closed
nielsdos added a commit that referenced this issue Oct 21, 2024
@nielsdos
Merge branch 'PHP-8.2' into PHP-8.3
5a09e01 
* PHP-8.2:
  Fix GH-16535: UAF when using document as a child
  Fix GH-16533: Segfault when adding attribute to parent that is not an element
nielsdos added a commit that referenced this issue Oct 21, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
a026692 
* PHP-8.3:
  Fix GH-16535: UAF when using document as a child
  Fix GH-16533: Segfault when adding attribute to parent that is not an element
nielsdos added a commit that referenced this issue Oct 21, 2024
@nielsdos
Merge branch 'PHP-8.4'
7c6c8e1 
* PHP-8.4:
  Fix GH-16535: UAF when using document as a child
  Fix GH-16533: Segfault when adding attribute to parent that is not an element
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: dom Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-16533: Segfault when adding attribute to parent that is not an element nielsdos/php-src
2 participants
@devnexen @chibinz