php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70359 print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()
Submitted: 2015-08-25 16:26 UTC Modified: 2018-08-10 15:17 UTC
Votes:3
Avg. Score:3.7 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rainer-phpbugs at 7val dot com Assigned:
Status: Closed Package: DOM XML related
PHP Version: 7.0.0RC1 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: rainer-phpbugs at 7val dot com
New email:
PHP Version: OS:

 

 [2015-08-25 16:26 UTC] rainer-phpbugs at 7val dot com
Description:
------------
(gdb) run a.php
Starting program: /home/canavan/FIT/14-7/lib/fit/bin/php a.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
php_libxml_node_free_list (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:235
235                             switch (node->type) {
(gdb) bt
#0  php_libxml_node_free_list (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:235
#1  0x000000000045c769 in php_libxml_node_free_list (node=0xe4ca90) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:255
#2  0x000000000045c8c1 in php_libxml_node_free_resource (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:1298
#3  0x000000000045ca78 in php_libxml_node_decrement_resource (object=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:1333
#4  0x0000000000473005 in dom_objects_free_storage (object=0x7ffff1270198) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:1045
#5  0x000000000071d61a in zend_objects_store_del (object=0x7ffff1270198) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_objects_API.c:181
#6  0x0000000000472d15 in _zval_dtor (zvalue=0x7fffffff9f50, zvalue=0x7fffffff9f50) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_variables.h:43
#7  dom_get_debug_info_helper (is_temp=<optimized out>, object=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:444
#8  dom_get_debug_info (object=<optimized out>, is_temp=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:459
#9  0x00000000006d9c09 in zend_print_zval_r_ex (write_func=0x66c070 <php_output_wrapper>, expr=0x7ffff12131c0, indent=indent@entry=0)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:359
#10 0x00000000006d9d74 in zend_print_zval_r (expr=<optimized out>, indent=indent@entry=0) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:324
#11 0x00000000005e252e in zif_print_r (execute_data=<optimized out>, return_value=0x7ffff1213150)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/standard/basic_functions.c:5488
#12 0x000000000073379d in ZEND_DO_ICALL_SPEC_HANDLER () at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:577
#13 0x0000000000722fcb in execute_ex (ex=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:406
#14 0x0000000000790547 in zend_execute (op_array=0x7ffff1284000, return_value=<optimized out>)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:450
#15 0x00000000006db7f5 in zend_execute_scripts (type=8, retval=0x7ffff1200000, retval@entry=0x0, file_count=3)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:1404
#16 0x000000000066ffe8 in php_execute_script (primary_file=0x7fffffffc6a0) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/main/main.c:2475
#17 0x000000000079278b in do_cli (argc=33, argv=0x7ffff1200000) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/sapi/cli/php_cli.c:971
#18 0x0000000000429130 in main (argc=33, argv=0x7ffff1200000) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/sapi/cli/php_cli.c:1338


Test script:
---------------
<?php
$dom = new DOMDocument();
$dom->load('sitemap.xml');

if ($dom->documentElement) {
    if ($spaceNode = $dom->documentElement->getAttributeNode('xmlns')) {
      print_r($spaceNode,1);
    }
}
?>

with sitemap.xml

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="fooooooooooooooooooooo">
</urlset>

Expected result:
----------------
No segfault, possibly an error or warning.

Affects PHP 5.6.11 as well as 7.0-rc1


Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-25 21:17 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2015-08-25 21:17 UTC] cmb@php.net
Confirmed: <https://3v4l.org/p5Jmb>. Additionally, accessing the
parentNode of such an attribute node also segfaults, see
<https://3v4l.org/FuH85>.

It appears the culprit is in DomElement::getAttributeNode()[1].
The _private member is supposed to hold a dom_object*, but is
later assigned to the parent member of the new xmlNode. Changing
the code respectively would prevent the segfault and give a
reasonable result, but leaks memory (valgrind).

[1] <https://github.com/php/php-src/blob/php-7.0.0RC1/ext/dom/element.c#L500-L517>
 [2018-08-10 15:17 UTC] cmb@php.net
Actually the culprit is dom_get_dom1_attribute()[1], which may
cast pointers to xmlNs[2] to pointers to xmlNode[3], although
these types are incompatible.

[1] <https://github.com/php/php-src/blob/php-7.3.0beta1/ext/dom/element.c#L273-L313>
[2] <http://www.xmlsoft.org/html/libxml-tree.html#xmlNs>
[3] <http://www.xmlsoft.org/html/libxml-tree.html#xmlNode>
 [2023-06-09 19:51 UTC] git@php.net
Automatic comment on behalf of nielsdos
Revision: https://github.com/php/php-src/commit/f2d673fb18cc6a6c88bf588f39fd1aa9dcfec964
Log: Fix #70359 and #78577: segfaults with DOMNameSpaceNode
 [2023-06-09 19:51 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Sep 08 06:01:27 2024 UTC