PHP :: Bug #78025 :: segfault when accessing properties of DOMDocumentType

Bug #78025	segfault when accessing properties of DOMDocumentType
Submitted:	2019-05-17 09:01 UTC	Modified:	2019-05-17 11:25 UTC
From:	ph dot fritsche at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	DOM XML related
PHP Version:	7.2.18	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ph dot fritsche at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2019-05-17 09:01 UTC] ph dot fritsche at gmail dot com

Description:
------------
PHP crashes when accessing properties of DOMDocumentType after loading a malformed declaration.

code:	c0000005
offset:	00000000002985c3

Test script:
---------------
<?php

$htm = "<!DOCTYPE><html></html>";

$dom = new DOMDocument;
$dom->loadHTML($htm);

$dom->doctype;
var_dump("i'm still here");

$dom->doctype->name;
var_dump("i'm not");

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-05-17 09:04 UTC] sjon@php.net

-Summary: AppCrash when accessing properties of DOMDocumentType +Summary: segfault when accessing properties of DOMDocumentType -Status: Open +Status: Verified

[2019-05-17 09:04 UTC] sjon@php.net

I can confirm - see https://3v4l.org/LE4P6. Happens on all of the supported versions (on linux as well)

[2019-05-17 09:57 UTC] cmb@php.net

The fix could be as simple as

 ext/dom/documenttype.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/dom/documenttype.c b/ext/dom/documenttype.c
index ff7107d165..dd8a647167 100644
--- a/ext/dom/documenttype.c
+++ b/ext/dom/documenttype.c
@@ -50,7 +50,7 @@ int dom_documenttype_name_read(dom_object *obj, zval *retval)
 		return FAILURE;
 	}
 
-	ZVAL_STRING(retval, (char *) (dtdptr->name));
+	ZVAL_STRING(retval, dtdptr->name ? (char *) (dtdptr->name) : "");
 
 	return SUCCESS;
 }

The question is which property value should be reported, and
whether there should be an additional notice/warning.

[2019-05-17 10:26 UTC] ph dot fritsche at gmail dot com

A warning is already issued by loadHTML() reporting the malformed declaration.

Just returning the empty string should be fine.

[2019-05-17 11:25 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2019-05-17 11:34 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e246dea9fe4d679f20de298c753d9ad083dbad68
Log: Fix #78025: segfault when accessing properties of DOMDocumentType

[2019-05-17 11:34 UTC] cmb@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC