php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70359 print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()
Submitted: 2015-08-25 16:26 UTC Modified: 2018-08-10 15:17 UTC
Votes:3
Avg. Score:3.7 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rainer-phpbugs at 7val dot com Assigned:
Status: Verified Package: DOM XML related
PHP Version: 7.0.0RC1 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-08-25 16:26 UTC] rainer-phpbugs at 7val dot com
Description:
------------
(gdb) run a.php
Starting program: /home/canavan/FIT/14-7/lib/fit/bin/php a.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
php_libxml_node_free_list (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:235
235                             switch (node->type) {
(gdb) bt
#0  php_libxml_node_free_list (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:235
#1  0x000000000045c769 in php_libxml_node_free_list (node=0xe4ca90) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:255
#2  0x000000000045c8c1 in php_libxml_node_free_resource (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:1298
#3  0x000000000045ca78 in php_libxml_node_decrement_resource (object=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:1333
#4  0x0000000000473005 in dom_objects_free_storage (object=0x7ffff1270198) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:1045
#5  0x000000000071d61a in zend_objects_store_del (object=0x7ffff1270198) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_objects_API.c:181
#6  0x0000000000472d15 in _zval_dtor (zvalue=0x7fffffff9f50, zvalue=0x7fffffff9f50) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_variables.h:43
#7  dom_get_debug_info_helper (is_temp=<optimized out>, object=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:444
#8  dom_get_debug_info (object=<optimized out>, is_temp=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:459
#9  0x00000000006d9c09 in zend_print_zval_r_ex (write_func=0x66c070 <php_output_wrapper>, expr=0x7ffff12131c0, indent=indent@entry=0)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:359
#10 0x00000000006d9d74 in zend_print_zval_r (expr=<optimized out>, indent=indent@entry=0) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:324
#11 0x00000000005e252e in zif_print_r (execute_data=<optimized out>, return_value=0x7ffff1213150)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/standard/basic_functions.c:5488
#12 0x000000000073379d in ZEND_DO_ICALL_SPEC_HANDLER () at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:577
#13 0x0000000000722fcb in execute_ex (ex=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:406
#14 0x0000000000790547 in zend_execute (op_array=0x7ffff1284000, return_value=<optimized out>)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:450
#15 0x00000000006db7f5 in zend_execute_scripts (type=8, retval=0x7ffff1200000, retval@entry=0x0, file_count=3)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:1404
#16 0x000000000066ffe8 in php_execute_script (primary_file=0x7fffffffc6a0) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/main/main.c:2475
#17 0x000000000079278b in do_cli (argc=33, argv=0x7ffff1200000) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/sapi/cli/php_cli.c:971
#18 0x0000000000429130 in main (argc=33, argv=0x7ffff1200000) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/sapi/cli/php_cli.c:1338


Test script:
---------------
<?php
$dom = new DOMDocument();
$dom->load('sitemap.xml');

if ($dom->documentElement) {
    if ($spaceNode = $dom->documentElement->getAttributeNode('xmlns')) {
      print_r($spaceNode,1);
    }
}
?>

with sitemap.xml

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="fooooooooooooooooooooo">
</urlset>

Expected result:
----------------
No segfault, possibly an error or warning.

Affects PHP 5.6.11 as well as 7.0-rc1


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-25 21:17 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2015-08-25 21:17 UTC] cmb@php.net
Confirmed: <https://3v4l.org/p5Jmb>. Additionally, accessing the
parentNode of such an attribute node also segfaults, see
<https://3v4l.org/FuH85>.

It appears the culprit is in DomElement::getAttributeNode()[1].
The _private member is supposed to hold a dom_object*, but is
later assigned to the parent member of the new xmlNode. Changing
the code respectively would prevent the segfault and give a
reasonable result, but leaks memory (valgrind).

[1] <https://github.com/php/php-src/blob/php-7.0.0RC1/ext/dom/element.c#L500-L517>
 [2018-08-10 15:17 UTC] cmb@php.net
Actually the culprit is dom_get_dom1_attribute()[1], which may
cast pointers to xmlNs[2] to pointers to xmlNode[3], although
these types are incompatible.

[1] <https://github.com/php/php-src/blob/php-7.3.0beta1/ext/dom/element.c#L273-L313>
[2] <http://www.xmlsoft.org/html/libxml-tree.html#xmlNs>
[3] <http://www.xmlsoft.org/html/libxml-tree.html#xmlNode>
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Nov 18 14:01:39 2019 UTC