Closed
Description
Description
The following code:
<?php
$text = new DOMText('my value');
$doc = new DOMDocument();
$doc->appendChild($text);
$text->__construct('my new value');
$doc->appendChild($text);
echo $doc->saveXML();
$dom2 = new DOMDocument();
try {
$dom2->appendChild($text);
} catch (DOMException $e) {
echo $e->getMessage(), "\n";
}
?>Resulted in this output:
==3601128==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000008c88 at pc 0x559b8ab20cc1 bp 0x7ffeb57b9670 sp 0x7ffeb57b9660
READ of size 4 at 0x60c000008c88 thread T0
#0 0x559b8ab20cc0 in dom_objects_free_storage /home/dan/php-src/ext/dom/php_dom.c:1448
#1 0x559b8b51ab8e in zend_objects_store_del /home/dan/php-src/Zend/zend_objects_API.c:194
#2 0x559b8b491851 in _zend_hash_del_el_ex /home/dan/php-src/Zend/zend_hash.c:1487
#3 0x559b8b491851 in _zend_hash_del_el /home/dan/php-src/Zend/zend_hash.c:1514
#4 0x559b8b491851 in zend_hash_reverse_apply /home/dan/php-src/Zend/zend_hash.c:2230
#5 0x559b8b2bd004 in shutdown_destructors /home/dan/php-src/Zend/zend_execute_API.c:262
#6 0x559b8b5718ec in zend_call_destructors /home/dan/php-src/Zend/zend.c:1332
#7 0x559b8b098d8e in php_request_shutdown /home/dan/php-src/main/main.c:1912
#8 0x559b8b576159 in do_cli /home/dan/php-src/sapi/cli/php_cli.c:1106
#9 0x559b8a8e23c2 in main /home/dan/php-src/sapi/cli/php_cli.c:1310
#10 0x152d4db45d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x152d4db45e3f in __libc_start_main_impl ../csu/libc-start.c:392
#12 0x559b8a8e3634 in _start (/home/w023dtc/php_engines/san_php+0x4c8634)
0x60c000008c88 is located 8 bytes inside of 120-byte region [0x60c000008c80,0x60c000008cf8)
freed by thread T0 here:
#0 0x152d4e20f537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x152d4def680b in xmlFreeNodeList (/lib/x86_64-linux-gnu/libxml2.so.2+0x6480b)
previously allocated by thread T0 here:
#0 0x152d4e20f887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x152d4def487b in xmlNewText (/lib/x86_64-linux-gnu/libxml2.so.2+0x6287b)
SUMMARY: AddressSanitizer: heap-use-after-free /home/dan/php-src/ext/dom/php_dom.c:1448 in dom_objects_free_storage
Shadow bytes around the buggy address:
0x0c187fff9140: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff9150: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff9160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187fff9170: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9180: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
=>0x0c187fff9190: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c187fff91a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3601128==ABORTING
PHP Version
8.4.1
Operating System
Ubuntu 22.04