PHP :: Bug #78025 :: segfault when accessing properties of DOMDocumentType

Bug #78025	segfault when accessing properties of DOMDocumentType
Submitted:	2019-05-17 09:01 UTC	Modified:	2019-05-17 11:25 UTC
From:	ph dot fritsche at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	DOM XML related
PHP Version:	7.2.18	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

[2019-05-17 09:01 UTC] ph dot fritsche at gmail dot com

Description:
------------
PHP crashes when accessing properties of DOMDocumentType after loading a malformed declaration.

code:	c0000005
offset:	00000000002985c3

Test script:
---------------
<?php

$htm = "<!DOCTYPE><html></html>";

$dom = new DOMDocument;
$dom->loadHTML($htm);

$dom->doctype;
var_dump("i'm still here");

$dom->doctype->name;
var_dump("i'm not");

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-05-17 09:04 UTC] sjon@php.net

-Summary: AppCrash when accessing properties of DOMDocumentType +Summary: segfault when accessing properties of DOMDocumentType -Status: Open +Status: Verified

[2019-05-17 09:04 UTC] sjon@php.net

I can confirm - see https://3v4l.org/LE4P6. Happens on all of the supported versions (on linux as well)

[2019-05-17 09:57 UTC] cmb@php.net

The fix could be as simple as

 ext/dom/documenttype.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/dom/documenttype.c b/ext/dom/documenttype.c
index ff7107d165..dd8a647167 100644
--- a/ext/dom/documenttype.c
+++ b/ext/dom/documenttype.c
@@ -50,7 +50,7 @@ int dom_documenttype_name_read(dom_object *obj, zval *retval)
 		return FAILURE;
 	}
 
-	ZVAL_STRING(retval, (char *) (dtdptr->name));
+	ZVAL_STRING(retval, dtdptr->name ? (char *) (dtdptr->name) : "");
 
 	return SUCCESS;
 }

The question is which property value should be reported, and
whether there should be an additional notice/warning.

[2019-05-17 10:26 UTC] ph dot fritsche at gmail dot com

A warning is already issued by loadHTML() reporting the malformed declaration.

Just returning the empty string should be fine.

[2019-05-17 11:25 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2019-05-17 11:34 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e246dea9fe4d679f20de298c753d9ad083dbad68
Log: Fix #78025: segfault when accessing properties of DOMDocumentType

[2019-05-17 11:34 UTC] cmb@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 11:00:01 2025 UTC