Closed
Description
Description
The following code:
<?php
$e1 = new DOMElement ( "X" , "x" );
$doc = new DOMDocument ( );
$frag = new DOMDocumentFragment ( );
$e2 = new DOMElement ( "H" );
$e3 = new DOMElement ( "W" );
$doc -> insertBefore ( $e3 , null );
$frag -> append ( $e1 );
$e2 -> append ( $frag );
$e3 -> insertBefore ( $e2 , null );Resulted in this output:
=================================================================
==76313==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000007cc8 at pc 0x5575f984ec23 bp 0x7ffd2eab2470 sp 0x7ffd2eab2468
READ of size 4 at 0x60c000007cc8 thread T0
#0 0x5575f984ec22 in dom_objects_free_storage /tmp/php-afl/ext/dom/php_dom.c:1448:13
#1 0x5575faa513ff in zend_objects_store_del /tmp/php-afl/Zend/zend_objects_API.c:194:4
#2 0x5575faaddd93 in rc_dtor_func /tmp/php-afl/Zend/zend_variables.c:57:2
#3 0x5575faaddd93 in i_zval_ptr_dtor /tmp/php-afl/Zend/zend_variables.h:45:4
#4 0x5575faaddd93 in zval_ptr_dtor /tmp/php-afl/Zend/zend_variables.c:84:2
#5 0x5575fa90e37f in _zend_hash_del_el_ex /tmp/php-afl/Zend/zend_hash.c:1487:3
#6 0x5575fa90e37f in _zend_hash_del_el /tmp/php-afl/Zend/zend_hash.c:1514:2
#7 0x5575fa92262f in zend_hash_reverse_apply /tmp/php-afl/Zend/zend_hash.c:2230:5
#8 0x5575fa5e110b in shutdown_destructors /tmp/php-afl/Zend/zend_execute_API.c:262:4
#9 0x5575faafd109 in zend_call_destructors /tmp/php-afl/Zend/zend.c:1326:3
#10 0x5575fa1cc40b in php_request_shutdown /tmp/php-afl/main/main.c:1912:3
#11 0x5575fab0edcb in do_cli /tmp/php-afl/sapi/cli/php_cli.c:1106:3
#12 0x5575fab09c91 in main /tmp/php-afl/sapi/cli/php_cli.c:1310:18
#13 0x7f1a30c29d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#14 0x7f1a30c29e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#15 0x5575f9402a24 in _start (/workspaces/TriFuzz/targets/php-afl/bin/php+0x402a24)
0x60c000007cc8 is located 8 bytes inside of 120-byte region [0x60c000007cc0,0x60c000007d38)
freed by thread T0 here:
#0 0x5575f9487342 in free /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f1a3111680b in xmlFreeNodeList (/lib/x86_64-linux-gnu/libxml2.so.2+0x6480b) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
previously allocated by thread T0 here:
#0 0x5575f94875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7f1a311145f4 in xmlNewNode (/lib/x86_64-linux-gnu/libxml2.so.2+0x625f4) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/php-afl/ext/dom/php_dom.c:1448:13 in dom_objects_free_storage
Shadow bytes around the buggy address:
0x0c187fff8f40: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff8f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff8f60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff8f70: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff8f90: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c187fff8fa0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c187fff8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c187fff8fc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff8fd0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c187fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==76313==ABORTING
But I expected this output instead:
no crash
PHP Version
PHP 8.4.0-dev
Operating System
No response