Nothing Special   »   [go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in DOMElement -> getAttributeNames() #16149

Closed
chibinz opened this issue Oct 1, 2024 · 2 comments
Closed

Null pointer dereference in DOMElement -> getAttributeNames() #16149

chibinz opened this issue Oct 1, 2024 · 2 comments
Assignees
@nielsdos
Labels
Bug Extension: dom Status: Verified

Comments

@chibinz
Copy link
chibinz commented Oct 1, 2024

Description

The following code:

<?php
$element = new DOMElement ( "b" , null , "a" );
$element -> getAttributeNames (  );

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==73605==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8920f9d7fd bp 0x7ffdea887150 sp 0x7ffdea886908 T0)
==73605==The signal is caused by a READ memory access.
==73605==Hint: address points to the zero page.
    #0 0x7f8920f9d7fd  (/lib/x86_64-linux-gnu/libc.so.6+0x19d7fd) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #1 0x565035819a99 in strlen /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x565035b9f889 in zim_DOMElement_getAttributeNames /tmp/php-afl/ext/dom/element.c:364:4
    #3 0x565036b1ccb2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-afl/Zend/zend_vm_execute.h
    #4 0x565036a1e3a0 in execute_ex /tmp/php-afl/Zend/zend_vm_execute.h:58486:7
    #5 0x565036a1f1b7 in zend_execute /tmp/php-afl/Zend/zend_vm_execute.h:64138:2
    #6 0x565036f04384 in zend_execute_script /tmp/php-afl/Zend/zend.c:1928:3
    #7 0x5650365d3b0e in php_execute_script_ex /tmp/php-afl/main/main.c:2574:13
    #8 0x565036f0df4c in do_cli /tmp/php-afl/sapi/cli/php_cli.c:935:5
    #9 0x565036f09c91 in main /tmp/php-afl/sapi/cli/php_cli.c:1310:18
    #10 0x7f8920e29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #11 0x7f8920e29e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #12 0x565035802a24 in _start (/workspaces/TriFuzz/targets/php-afl/bin/php+0x402a24)

But I expected this output instead:

no crash

PHP Version

PHP 8.4.0-dev

Operating System

No response
@cmb69
Copy link
Member
cmb69 commented Oct 1, 2024

Possible fix (would at least avoid the segfault):

 ext/dom/element.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ext/dom/element.c b/ext/dom/element.c
index 06af759365..da74296ffa 100644
--- a/ext/dom/element.c
+++ b/ext/dom/element.c
@@ -361,6 +361,7 @@ PHP_METHOD(DOMElement, getAttributeNames)
 	if (!php_dom_follow_spec_intern(intern)) {
 		for (xmlNsPtr nsptr = nodep->nsDef; nsptr; nsptr = nsptr->next) {
 			const char *prefix = (const char *) nsptr->prefix;
+			if (prefix == NULL) continue;
 			ZVAL_NEW_STR(&tmp, dom_node_concatenated_name_helper(strlen(prefix), prefix, strlen("xmlns"), (const char *) "xmlns"));
 			zend_hash_next_index_insert(ht, &tmp);
 		}

@nielsdos
Copy link
Member
nielsdos commented Oct 1, 2024

@cmb69 Almost, but since it has a namespace "a", it should contain an "xmlns" entry. I'll make a PR.

nielsdos added a commit to nielsdos/php-src that referenced this issue Oct 1, 2024
@nielsdos
Fix phpGH-16149: Null pointer dereference in DOMElement->getAttribute…
859aafc 
…Names()

A namespace without a prefix is by definition always the "xmlns"
namespace.
@nielsdos nielsdos linked a pull request Oct 1, 2024 that will close this issue
Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames() #16155
Closed
nielsdos added a commit that referenced this issue Oct 1, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
853322f 
* PHP-8.3:
  Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames()
nielsdos added a commit that referenced this issue Oct 1, 2024
@nielsdos
Merge branch 'PHP-8.4'
921a1e3 
* PHP-8.4:
  Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames()
jorgsowa pushed a commit to jorgsowa/php-src that referenced this issue Oct 1, 2024
@nielsdos @jorgsowa
Fix phpGH-16149: Null pointer dereference in DOMElement->getAttribute…
8f20abb 
…Names()

A namespace without a prefix is by definition always the "xmlns"
namespace.

Closes phpGH-16155.
jorgsowa pushed a commit to jorgsowa/php-src that referenced this issue Oct 1, 2024
@nielsdos @jorgsowa
Fix phpGH-16149: Null pointer dereference in DOMElement->getAttribute…
d070bfe 
…Names()

A namespace without a prefix is by definition always the "xmlns"
namespace.

Closes phpGH-16155.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: dom Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames() nielsdos/php-src
4 participants
@cmb69 @nielsdos @Girgias @chibinz