Skip to content

Mitigate libxml2 tree dictionary bug #19612

New issue
New issue
Open
#19620
Open
Mitigate libxml2 tree dictionary bug#19612
#19620
Assignees
nielsdos
Labels
BugExtension: domStatus: Fixed in Third Party Library
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on Aug 28, 2025

Description

The following code:

<?php
$xml = Dom\XMLDocument::createFromString(<<<XML
<!DOCTYPE root [
<!ENTITY foo "foo">
]>
<root><el x="&foo;bar&foo;"/></root>
XML);
$html = Dom\HTMLDocument::createFromString('<p>foo</p>', LIBXML_NOERROR);
$p = $html->documentElement->firstElementChild->nextElementSibling->firstElementChild;
$p->appendChild($html->adoptNode($xml->documentElement->firstElementChild->cloneNode(true)));

Resulted in this output:

=================================================================
==3917761==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x6190000069dc in thread T0
    #0 0x680e52 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680e52)
    #1 0x7fc37637f802 in xmlFreeNodeList (/lib/x86_64-linux-gnu/libxml2.so.2+0x64802)
    #2 0x7fc376380092 in xmlFreeProp (/lib/x86_64-linux-gnu/libxml2.so.2+0x65092)
    #3 0x7fc37637f88b in xmlFreeNodeList (/lib/x86_64-linux-gnu/libxml2.so.2+0x6488b)
    #4 0x7fc37637fc73 in xmlFreeDoc (/lib/x86_64-linux-gnu/libxml2.so.2+0x64c73)
    #5 0x8e1c19 in php_libxml_decrement_doc_ref_directly /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/libxml/libxml.c:1381:4
    #6 0x8e2327 in php_libxml_decrement_doc_ref /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/libxml/libxml.c:1401:18
    #7 0x112ee96 in dom_objects_free_storage /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/dom/php_dom.c:1484:4
    #8 0x6276b7c in zend_gc_collect_cycles /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_gc.c:2111:7
    #9 0x5a41228 in zend_shutdown_executor_values /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:425:4
    #10 0x5a42fbe in shutdown_executor /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:455:2
    #11 0x6837ffb in zend_deactivate /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1351:2
    #12 0x501a1a5 in php_request_shutdown /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2024:2
    #13 0x6864e01 in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1159:3
    #14 0x6859ddf in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18
    #15 0x7fc375921d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x7fc375921e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #17 0x6061f4 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6061f4)

0x6190000069dc is located 92 bytes inside of 1048-byte region [0x619000006980,0x619000006d98)
allocated by thread T0 here:
    #0 0x6810bd in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6810bd)
    #1 0x7fc376455bae  (/lib/x86_64-linux-gnu/libxml2.so.2+0x13abae)

SUMMARY: AddressSanitizer: bad-free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680e52) in free
==3917761==ABORTING

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

7e5ad5caf8e249453a84b4f62565188cf69b877f

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

7e5ad5caf8e249453a84b4f62565188cf69b877f

Operating System

No response

Metadata

Metadata

Assignees

Labels

BugExtension: domStatus: Fixed in Third Party Library

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions