Another use after free in DOMNode -> prepend #16463
Description
Description
The following code:
<?php
$v0 = new DOMDocument ( );
$v4 = new DOMElement ( "g" );
$v7 = new DOMElement ( "z" );
$v8 = new DOMAttr ( "iF" , "j" );
$v9 = new DOMText ( );
$v7 -> append ( $v9 );
$v4 -> setAttributeNode ( $v8 );
$v0 -> insertBefore ( $v4 , null );
$v8 -> cloneNode ( );
$v0 -> prepend ( "Sc" );Resulted in this output:
=================================================================
==1322540==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000508 at pc 0x560797f9ab49 bp 0x7ffc00ac6430 sp 0x7ffc00ac6428
READ of size 8 at 0x60f000000508 thread T0
#0 0x560797f9ab48 in dom_parent_node_prepend /tmp/php-asan/ext/dom/parentnode/tree.c:605:18
#1 0x560797f459d8 in zim_DOMElement_prepend /tmp/php-asan/ext/dom/element.c:1518:2
#2 0x560798e93ac2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-asan/Zend/zend_vm_execute.h:1919:4
#3 0x560798da602d in execute_ex /tmp/php-asan/Zend/zend_vm_execute.h:58565:7
#4 0x560798da6857 in zend_execute /tmp/php-asan/Zend/zend_vm_execute.h:64217:2
#5 0x5607991da9d0 in zend_execute_script /tmp/php-asan/Zend/zend.c:1928:3
#6 0x5607989f961b in php_execute_script_ex /tmp/php-asan/main/main.c:2574:13
#7 0x5607989f9b18 in php_execute_script /tmp/php-asan/main/main.c:2614:9
#8 0x5607991e2479 in do_cli /tmp/php-asan/sapi/cli/php_cli.c:935:5
#9 0x5607991df49c in main /tmp/php-asan/sapi/cli/php_cli.c:1310:18
#10 0x7f3a05429d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#11 0x7f3a05429e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#12 0x560797c02dc4 in _start (/workspaces/TriFuzz/targets/php-asan/bin/php+0x402dc4)
0x60f000000508 is located 24 bytes inside of 176-byte region [0x60f0000004f0,0x60f0000005a0)
freed by thread T0 here:
#0 0x560797c876e2 in free /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f3a0581dd4d in xmlFreeDoc (/lib/x86_64-linux-gnu/libxml2.so.2+0x64d4d) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
previously allocated by thread T0 here:
#0 0x560797c8798e in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7f3a0581b2de in xmlNewDoc (/lib/x86_64-linux-gnu/libxml2.so.2+0x622de) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/php-asan/ext/dom/parentnode/tree.c:605:18 in dom_parent_node_prepend
Shadow bytes around the buggy address:
0x0c1e7fff8050: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1e7fff8060: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff8070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1e7fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff8090: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
=>0x0c1e7fff80a0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff80b0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1322540==ABORTING
But I expected this output instead:
no-crash
PHP Version
PHP 8.5.0-dev
Operating System
No response