Skip to content

Memory Leak in xmlNewDoc  #16332

New issue
New issue
Closed as not planned
Closed as not planned
Memory Leak in xmlNewDoc #16332
Labels
BugExtension: domStatus: Invalid
@chongwick

Description

@chongwick
chongwick
opened on Oct 9, 2024

Description

The following code:

<?php
class DataFusion {
    public function __construct($script1_dataflow, $script2_dataflow, $random_var) {
        $vars = [$script1_dataflow, $script2_dataflow, $random_var];
        foreach ($vars as $i => $v1) {
            foreach ($vars as $j => $v2) {
                if ($i < $j) {
                    $result["concat_{$i}_{$j}"] = sprintf("%d", PHP_INT_MAX). " ". sprintf("%d", PHP_INT_MIN);
                }
            }
        }
    }
}

class Resource {
    private $resource;

    public function __construct($resource) {
        $this->resource = $resource;
    }

    public function read() {
        return fread($this->resource, 1024);
    }
}

class Foo {
    public function bar() {
        $this->baz(PHP_INT_MAX);
    }

    private function baz($x) {
        if ($x > PHP_INT_MAX) {
            throw new TypeError('Out of range');
        }
        if ($x == PHP_INT_MAX) {
            $this->qux(PHP_FLOAT_MIN);
        }
    }

    private function qux($x) {
        if ($x > PHP_FLOAT_MAX) {
            throw new TypeError('Out of range');
        }
    }
}

class C {
    public static $foo = PHP_INT_MAX;
}

$xml = '<?xml version="1.0" encoding="utf-8"?>
<test>
    <a>'. PHP_INT_MIN. '</a>
</test>';
$root = simplexml_load_string($xml);
$clone = clone $root;

try {
    $y = $clone->__construct(1);
} catch (Exception $e) {
}

$datafusion = new DataFusion($clone, $script2_connect, $random_var);

for ($i = 0; $i < 4; $i++) {
    if ($i == 2) {
        $resource = fopen("php://filter/read=convert.base64-encode/resource=/etc/passwd", 'rb');
    }
    C::$foo = PHP_FLOAT_MIN;
}

$foo = new Foo();
$foo->bar();

$resourceObject = new Resource($resource);
echo $resourceObject->read();

?>

Resulted in this output:

==4004494==ERROR: LeakSanitizer: detected memory leaks

Indirect leak of 600 byte(s) in 5 object(s) allocated from:
    #0 0x14595e52b887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14595dec219f  (/lib/x86_64-linux-gnu/libxml2.so.2+0x7219f)

Indirect leak of 176 byte(s) in 1 object(s) allocated from:
    #0 0x14595e52b887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14595deb2217 in xmlNewDoc (/lib/x86_64-linux-gnu/libxml2.so.2+0x62217)

Indirect leak of 42 byte(s) in 6 object(s) allocated from:
    #0 0x14595e52b887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14595df337f2 in xmlStrdup (/lib/x86_64-linux-gnu/libxml2.so.2+0xe37f2)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x14595e52b887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14595df336e3 in xmlStrndup (/lib/x86_64-linux-gnu/libxml2.so.2+0xe36e3)

SUMMARY: AddressSanitizer: 822 byte(s) leaked in 13 allocation(s).

PHP Version

8.3.9

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugExtension: domStatus: Invalid

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions