Heap-use-after-free in PHP URI WHATWG parser during malformed URL processing (ext/uri/uri_parser_whatwg.c)

[vi3tL0u1s]

Description

The following code:

<?php
foreach (get_declared_classes() as$$class) {
    try {
$it =!new $$Iterato("faPr0://://///////////////////////////////////////////////
////////////////////$my__=NO=001%1n100H0exe$gulang");
 } catch (Throwable) {}
}
?>

Resulted in this AddressSanitizer output:

=================================================================
==1514525==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000003698 at pc 0x55ec222194d6 bp 0x7ffed5437930 sp 0x7ffed54370f8
READ of size 96 at 0x60b000003698 thread T0
    #0 0x55ec222194d5 in strlen (/path/to/php-src/sapi/cli/php+0x6194d5) (BuildId: 9024d36fa831e592ed9cead40bcf8aa8077f300e)
    #1 0x55ec238875da in zend_update_property_string /path/to/php-src/Zend/zend_API.c:5034:2
    #2 0x55ec2354c94c in fill_errors /path/to/php-src/ext/uri/uri_parser_whatwg.c:77:3
    #3 0x55ec2354c25a in php_uri_parser_whatwg_parse_ex /path/to/php-src/ext/uri/uri_parser_whatwg.c:566:24
    #4 0x55ec2354dacd in php_uri_parser_whatwg_parse /path/to/php-src/ext/uri/uri_parser_whatwg.c:584:9
    #5 0x55ec23534877 in php_uri_instantiate_uri /path/to/php-src/ext/uri/php_uri.c:351:14
    #6 0x55ec235384db in create_whatwg_uri /path/to/php-src/ext/uri/php_uri.c:498:2
    #7 0x55ec23538591 in zim_Uri_WhatWg_Url___construct /path/to/php-src/ext/uri/php_uri.c:509:2
    #8 0x55ec23aa4d77 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:2022:4
    #9 0x55ec239c2272 in execute_ex /path/to/php-src/Zend/zend_vm_execute.h:115754:12
    #10 0x55ec239c2b77 in zend_execute /path/to/php-src/Zend/zend_vm_execute.h:121466:2
    #11 0x55ec23df22f0 in zend_execute_script /path/to/php-src/Zend/zend.c:1977:3
    #12 0x55ec235f703b in php_execute_script_ex /path/to/php-src/main/main.c:2640:13
    #13 0x55ec235f7538 in php_execute_script /path/to/php-src/main/main.c:2680:9
    #14 0x55ec23dfa1f2 in do_cli /path/to/php-src/sapi/cli/php_cli.c:951:5
    #15 0x55ec23df714c in main /path/to/php-src/sapi/cli/php_cli.c:1362:18
    #16 0x7fcb14147d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    #17 0x7fcb14147e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    #18 0x55ec22203394 in _start (/path/to/php-src/sapi/cli/php+0x603394) (BuildId: 9024d36fa831e592ed9cead40bcf8aa8077f300e)

0x60b0000036f7 is located 0 bytes to the right of 103-byte region [0x60b000003690,0x60b0000036f7)
freed by thread T0 here:
    #0 0x55ec22285f32 in free (/path/to/php-src/sapi/cli/php+0x685f32) (BuildId: 9024d36fa831e592ed9cead40bcf8aa8077f300e)
    #1 0x55ec23840fd3 in __zend_free /path/to/php-src/Zend/zend_alloc.c:3571:2
    #2 0x55ec23845194 in _efree /path/to/php-src/Zend/zend_alloc.c:2790:3
    #3 0x55ec2288ea77 in php_lexbor_free /path/to/php-src/ext/lexbor/php_lexbor.c:49:2
    #4 0x55ec229d0e08 in lexbor_free /path/to/php-src/ext/lexbor/lexbor/ports/posix/lexbor/core/memory.c:35:5
    #5 0x55ec229e8cb2 in lxb_url_parse_basic_h /path/to/php-src/ext/lexbor/lexbor/url/url.c:2440:5
    #6 0x55ec229e04e5 in lxb_url_parse_basic /path/to/php-src/ext/lexbor/lexbor/url/url.c:1244:14
    #7 0x55ec229e046a in lxb_url_parse /path/to/php-src/ext/lexbor/lexbor/url/url.c:1231:12
    #8 0x55ec2354c214 in php_uri_parser_whatwg_parse_ex /path/to/php-src/ext/uri/uri_parser_whatwg.c:562:19
    #9 0x55ec2354dacd in php_uri_parser_whatwg_parse /path/to/php-src/ext/uri/uri_parser_whatwg.c:584:9
    #10 0x55ec23534877 in php_uri_instantiate_uri /path/to/php-src/ext/uri/php_uri.c:351:14
    #11 0x55ec235384db in create_whatwg_uri /path/to/php-src/ext/uri/php_uri.c:498:2
    #12 0x55ec23538591 in zim_Uri_WhatWg_Url___construct /path/to/php-src/ext/uri/php_uri.c:509:2
    #13 0x55ec23aa4d77 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:2022:4
    #14 0x55ec239c2272 in execute_ex /path/to/php-src/Zend/zend_vm_execute.h:115754:12
    #15 0x55ec239c2b77 in zend_execute /path/to/php-src/Zend/zend_vm_execute.h:121466:2
    #16 0x55ec23df22f0 in zend_execute_script /path/to/php-src/Zend/zend.c:1977:3
    #17 0x55ec235f703b in php_execute_script_ex /path/to/php-src/main/main.c:2640:13
    #18 0x55ec235f7538 in php_execute_script /path/to/php-src/main/main.c:2680:9
    #19 0x55ec23dfa1f2 in do_cli /path/to/php-src/sapi/cli/php_cli.c:951:5
    #20 0x55ec23df714c in main /path/to/php-src/sapi/cli/php_cli.c:1362:18
    #21 0x7fcb14147d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)

previously allocated by thread T0 here:
    #0 0x55ec222861de in malloc (/path/to/php-src/sapi/cli/php+0x6861de) (BuildId: 9024d36fa831e592ed9cead40bcf8aa8077f300e)
    #1 0x55ec23845703 in __zend_malloc /path/to/php-src/Zend/zend_alloc.c:3543:14
    #2 0x55ec23845090 in _emalloc /path/to/php-src/Zend/zend_alloc.c:2780:10
    #3 0x55ec2288e9c7 in php_lexbor_malloc /path/to/php-src/ext/lexbor/php_lexbor.c:34:9
    #4 0x55ec229d0d88 in lexbor_malloc /path/to/php-src/ext/lexbor/lexbor/ports/posix/lexbor/core/memory.c:17:12
    #5 0x55ec229f3823 in lxb_url_remove_tab_newline /path/to/php-src/ext/lexbor/lexbor/url/url.c:3059:11
    #6 0x55ec229e0997 in lxb_url_parse_basic_h /path/to/php-src/ext/lexbor/lexbor/url/url.c:1297:11
    #7 0x55ec229e04e5 in lxb_url_parse_basic /path/to/php-src/ext/lexbor/lexbor/url/url.c:1244:14
    #8 0x55ec229e046a in lxb_url_parse /path/to/php-src/ext/lexbor/lexbor/url/url.c:1231:12
    #9 0x55ec2354c214 in php_uri_parser_whatwg_parse_ex /path/to/php-src/ext/uri/uri_parser_whatwg.c:562:19
    #10 0x55ec2354dacd in php_uri_parser_whatwg_parse /path/to/php-src/ext/uri/uri_parser_whatwg.c:584:9
    #11 0x55ec23534877 in php_uri_instantiate_uri /path/to/php-src/ext/uri/php_uri.c:351:14
    #12 0x55ec235384db in create_whatwg_uri /path/to/php-src/ext/uri/php_uri.c:498:2
    #13 0x55ec23538591 in zim_Uri_WhatWg_Url___construct /path/to/php-src/ext/uri/php_uri.c:509:2
    #14 0x55ec23aa4d77 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:2022:4
    #15 0x55ec239c2272 in execute_ex /path/to/php-src/Zend/zend_vm_execute.h:115754:12
    #16 0x55ec239c2b77 in zend_execute /path/to/php-src/Zend/zend_vm_execute.h:121466:2
    #17 0x55ec23df22f0 in zend_execute_script /path/to/php-src/Zend/zend.c:1977:3
    #18 0x55ec235f703b in php_execute_script_ex /path/to/php-src/main/main.c:2640:13
    #19 0x55ec235f7538 in php_execute_script /path/to/php-src/main/main.c:2680:9
    #20 0x55ec23dfa1f2 in do_cli /path/to/php-src/sapi/cli/php_cli.c:951:5
    #21 0x55ec23df714c in main /path/to/php-src/sapi/cli/php_cli.c:1362:18
    #22 0x7fcb14147d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)

SUMMARY: AddressSanitizer: heap-use-after-free (/path/to/php-src/sapi/cli/php+0x6194d5) (BuildId: 9024d36fa831e592ed9cead40bcf8aa8077f300e) in strlen
Shadow bytes around the buggy address:
  0x0c167fff8680: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c167fff8690: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c167fff86a0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c167fff86b0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c167fff86c0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c167fff86d0: fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c167fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff86f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1514525==ABORTING

Commit:

6872cf2eef921b9d27fa300ca5a7ad3bc27aee1c

Build configuration:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

PHP Version

PHP 8.5.0-dev (cli) (built: Oct  7 2025 14:17:27) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[TimWolla]

Simplified:

<?php

new Uri\WhatWg\Url("x://:
/");

[TimWolla]

Upstream issue: lexbor/lexbor#314.