Closed
Description
Description
The following code:
<?php
function varToString($var) {
}
$attr = new DOMAttr('category', 'books');
$script1_dataflow = $attr;
class test {
private function __clone() {
}
}
$clone = clone $script1_dataflow;Resulted in this output:
/php-src/ext/dom/php_dom.c:597:21: runtime error: member access within null pointer of type 'php_libxml_ref_obj' (aka 'struct _php_libxml_ref_obj')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/dom/php_dom.c:597:21 in
Valgrind output:
==796071== Invalid write of size 8
==796071== at 0x43A3E3: dom_objects_store_clone_obj (php_dom.c:596)
==796071== by 0x8BEA67: ZEND_CLONE_SPEC_CV_HANDLER (zend_vm_execute.h:39861)
==796071== by 0x8E4A17: execute_ex (zend_vm_execute.h:61520)
==796071== by 0x8E5DF4: zend_execute (zend_vm_execute.h:62776)
==796071== by 0x81E8F2: zend_execute_script (zend.c:1896)
==796071== by 0x76C7C1: php_execute_script_ex (main.c:2499)
==796071== by 0x76C947: php_execute_script (main.c:2539)
==796071== by 0x9A98C7: do_cli (php_cli.c:966)
==796071== by 0x9AA5F0: main (php_cli.c:1340)
==796071== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==796071==
==796071==
==796071== Process terminating with default action of signal 11 (SIGSEGV)
==796071== Access not within mapped region at address 0x18
==796071== at 0x43A3E3: dom_objects_store_clone_obj (php_dom.c:596)
==796071== by 0x8BEA67: ZEND_CLONE_SPEC_CV_HANDLER (zend_vm_execute.h:39861)
==796071== by 0x8E4A17: execute_ex (zend_vm_execute.h:61520)
==796071== by 0x8E5DF4: zend_execute (zend_vm_execute.h:62776)
==796071== by 0x81E8F2: zend_execute_script (zend.c:1896)
==796071== by 0x76C7C1: php_execute_script_ex (main.c:2499)
==796071== by 0x76C947: php_execute_script (main.c:2539)
==796071== by 0x9A98C7: do_cli (php_cli.c:966)
==796071== by 0x9AA5F0: main (php_cli.c:1340)
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04