Skip to content

Null-dereference in ext/dom/node.c #16338

Closed
Closed
Null-dereference in ext/dom/node.c#16338
Labels
BugExtension: domStatus: Verified
@chibinz

Description

@chibinz
chibinz
opened on Oct 10, 2024

Description

The following code:

$ref = new DOMEntityReference ( "G" );
$com = new DOMComment (  );
$doc = new DOMDocument (  );
$elem = new DOMElement ( "Rj" , "o" );
$com2 = new DOMComment (  );
$elem2 = new DOMElement ( "kx" , null , "r" );

$elem2 -> prepend ( $com );
$com -> before ( "Z" );
$com -> before ( $com2 );
$com2 -> after ( $elem );
$doc -> insertBefore ( $elem2 );
$elem -> insertBefore ( $ref );

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==316762==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x562f35bfb780 bp 0x7ffc2eb85750 sp 0x7ffc2eb85710 T0)
==316762==The signal is caused by a WRITE memory access.
==316762==Hint: address points to the zero page.
    #0 0x562f35bfb780 in dom_set_document_ref_obj_single /tmp/php-afl/ext/dom/node.c:749:21
    #1 0x562f35bfb780 in dom_set_document_pointers /tmp/php-afl/ext/dom/node.c:760:7
    #2 0x562f35be6c77 in dom_node_insert_before_legacy /tmp/php-afl/ext/dom/node.c:863:3
    #3 0x562f35be6c77 in dom_node_insert_before /tmp/php-afl/ext/dom/node.c:1020:3
    #4 0x562f36b1eff2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-afl/Zend/zend_vm_execute.h
    #5 0x562f36a206f0 in execute_ex /tmp/php-afl/Zend/zend_vm_execute.h:58554:7
    #6 0x562f36a21507 in zend_execute /tmp/php-afl/Zend/zend_vm_execute.h:64206:2
    #7 0x562f36f08b34 in zend_execute_script /tmp/php-afl/Zend/zend.c:1928:3
    #8 0x562f365d559e in php_execute_script_ex /tmp/php-afl/main/main.c:2574:13
    #9 0x562f36f126fc in do_cli /tmp/php-afl/sapi/cli/php_cli.c:935:5
    #10 0x562f36f0e441 in main /tmp/php-afl/sapi/cli/php_cli.c:1310:18
    #11 0x7f03dbc29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #12 0x7f03dbc29e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #13 0x562f35802a24 in _start (/workspaces/TriFuzz/targets/php-afl/bin/php+0x402a24)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/php-afl/ext/dom/node.c:749:21 in dom_set_document_ref_obj_single
==316762==ABORTING

But I expected this output instead:

no crash

Note removing the last line gives a heap use after free, similiar to previous reports. Not sure if this is an isolated issue or duplicate.

PHP Version

PHP 8.4.0-dev

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugExtension: domStatus: Verified

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions