Closed
Description
Description
The following code:
<?php
$doc = new DOMDocument ( );
$elem = new DOMElement ( "g" );
$attr = new DOMAttr ( "iF" , "j" );
$elem -> setAttributeNode ( $attr );
$doc -> insertBefore ( $elem , null );
$attr -> cloneNode ( );Resulted in this output:
=================================================================
==314930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d9a8 at pc 0x56157804f663 bp 0x7ffefbc5cf50 sp 0x7ffefbc5cf48
READ of size 4 at 0x60800000d9a8 thread T0
#0 0x56157804f662 in dom_objects_free_storage /tmp/php-afl/ext/dom/php_dom.c:1448:13
#1 0x56157925594f in zend_objects_store_del /tmp/php-afl/Zend/zend_objects_API.c:194:4
#2 0x5615792e2523 in rc_dtor_func /tmp/php-afl/Zend/zend_variables.c:57:2
#3 0x5615792e2523 in i_zval_ptr_dtor /tmp/php-afl/Zend/zend_variables.h:45:4
#4 0x5615792e2523 in zval_ptr_dtor /tmp/php-afl/Zend/zend_variables.c:84:2
#5 0x56157911178f in _zend_hash_del_el_ex /tmp/php-afl/Zend/zend_hash.c:1487:3
#6 0x56157911178f in _zend_hash_del_el /tmp/php-afl/Zend/zend_hash.c:1514:2
#7 0x561579125a3f in zend_hash_reverse_apply /tmp/php-afl/Zend/zend_hash.c:2230:5
#8 0x561578de339b in shutdown_destructors /tmp/php-afl/Zend/zend_execute_API.c:262:4
#9 0x5615793018b9 in zend_call_destructors /tmp/php-afl/Zend/zend.c:1326:3
#10 0x5615789cde98 in php_request_shutdown /tmp/php-afl/main/main.c:1912:3
#11 0x56157931357b in do_cli /tmp/php-afl/sapi/cli/php_cli.c:1106:3
#12 0x56157930e441 in main /tmp/php-afl/sapi/cli/php_cli.c:1310:18
#13 0x7f499d229d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#14 0x7f499d229e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#15 0x561577c02a24 in _start (/workspaces/TriFuzz/targets/php-afl/bin/php+0x402a24)
0x60800000d9a8 is located 8 bytes inside of 96-byte region [0x60800000d9a0,0x60800000da00)
freed by thread T0 here:
#0 0x561577c87342 in free /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f499d61388b in xmlFreeNodeList (/lib/x86_64-linux-gnu/libxml2.so.2+0x6488b) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
previously allocated by thread T0 here:
#0 0x561577c875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7f499d611dad in xmlNewProp (/lib/x86_64-linux-gnu/libxml2.so.2+0x62dad) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/php-afl/ext/dom/php_dom.c:1448:13 in dom_objects_free_storage
Shadow bytes around the buggy address:
0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff9af0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff9b00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff9b10: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff9b20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 05 fa
=>0x0c107fff9b30: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c107fff9b40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==314930==ABORTING
But I expected this output instead:
no crash
PHP Version
PHP 8.4.0-dev
Operating System
No response