Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c

[YuanchengJiang]

Description

The following code:

<?php
$entity = new DOMEntity();
$fusion = $entity;
$dom = new DOMDocument;
$element = $dom->appendChild($dom->createElement('root'));
$str = str_repeat('X', 2**31 + 10);
try {
$element->append('x', $str);
} catch (ValueError $e) {
$element->prepend('x', $fusion);
}

Resulted in this output:

/php-src/ext/dom/parentnode/tree.c:245:12: runtime error: member access within null pointer of type 'xmlNode' (aka 'struct _xmlNode')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/dom/parentnode/tree.c:245

To reproduce:

-d "memory_limit=-1"

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[DanielEScherzer]

Minimal reproduction:

<?php
$dom = new DOMDocument;
$element = $dom->appendChild($dom->createElement('root'));
$str = str_repeat('X', 2**31 + 10);
try {
    $element->append('x', $str);
} catch (ValueError $e) {
    $element->prepend('x', new DOMEntity());
}

[nielsdos]

Very old bug, must've been here since the beginning that DOMParentNode was here.