php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78025 segfault when accessing properties of DOMDocumentType
Submitted: 2019-05-17 09:01 UTC Modified: 2019-05-17 11:25 UTC
From: ph dot fritsche at gmail dot com Assigned: cmb (profile)
Status: Closed Package: DOM XML related
PHP Version: 7.2.18 OS: Windows
Private report: No CVE-ID: None
 [2019-05-17 09:01 UTC] ph dot fritsche at gmail dot com
Description:
------------
PHP crashes when accessing properties of DOMDocumentType after loading a malformed declaration.

code:	c0000005
offset:	00000000002985c3

Test script:
---------------
<?php

$htm = "<!DOCTYPE><html></html>";

$dom = new DOMDocument;
$dom->loadHTML($htm);

$dom->doctype;
var_dump("i'm still here");

$dom->doctype->name;
var_dump("i'm not");



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-17 09:04 UTC] sjon@php.net
-Summary: AppCrash when accessing properties of DOMDocumentType +Summary: segfault when accessing properties of DOMDocumentType -Status: Open +Status: Verified
 [2019-05-17 09:04 UTC] sjon@php.net
I can confirm - see https://3v4l.org/LE4P6. Happens on all of the supported versions (on linux as well)
 [2019-05-17 09:57 UTC] cmb@php.net
The fix could be as simple as

 ext/dom/documenttype.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/dom/documenttype.c b/ext/dom/documenttype.c
index ff7107d165..dd8a647167 100644
--- a/ext/dom/documenttype.c
+++ b/ext/dom/documenttype.c
@@ -50,7 +50,7 @@ int dom_documenttype_name_read(dom_object *obj, zval *retval)
 		return FAILURE;
 	}
 
-	ZVAL_STRING(retval, (char *) (dtdptr->name));
+	ZVAL_STRING(retval, dtdptr->name ? (char *) (dtdptr->name) : "");
 
 	return SUCCESS;
 }

The question is which property value should be reported, and
whether there should be an additional notice/warning.
 [2019-05-17 10:26 UTC] ph dot fritsche at gmail dot com
A warning is already issued by loadHTML() reporting the malformed declaration.

Just returning the empty string should be fine.
 [2019-05-17 11:25 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2019-05-17 11:34 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e246dea9fe4d679f20de298c753d9ad083dbad68
Log: Fix #78025: segfault when accessing properties of DOMDocumentType
 [2019-05-17 11:34 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 08:01:29 2024 UTC