Memory leak in libxml encoding handling

[chongwick]

Description

The following code:

<?php
$malicious_document = new DOMDocument();
$malicious_document->__construct(str_repeat(chr(223), 65537) . str_repeat(chr(8), 17) . str_repeat(chr(133), 257), str_repeat(chr(62), 257));
$malicious_document-> save(str_repeat("%s%x%n", 0x100), 0.5880082824695007);

Resulted in this output:

==3938990==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 56 byte(s) in 1 object(s) allocated from:
    #0 0x14e1d1ff8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14e1d1cb85ba  (/lib/x86_64-linux-gnu/libxml2.so.2+0x3d5ba)

Indirect leak of 32640 byte(s) in 1 object(s) allocated from:
    #0 0x14e1d1ff8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14e1d192f7e6 in __gconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a7e6)
    #2 0x14e1d192f2b7 in iconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a2b7)
    #3 0x61200002c5bf  (<unknown module>)

Indirect leak of 32640 byte(s) in 1 object(s) allocated from:
    #0 0x14e1d1ff8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14e1d192f7e6 in __gconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a7e6)
    #2 0x14e1d192f2b7 in iconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a2b7)
    #3 0x602000002b6f  (<unknown module>)

Indirect leak of 416 byte(s) in 2 object(s) allocated from:
    #0 0x14e1d1ff8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14e1d193a9d6  (/lib/x86_64-linux-gnu/libc.so.6+0x359d6)

Indirect leak of 258 byte(s) in 1 object(s) allocated from:
    #0 0x14e1d1ff8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14e1d1d5a942  (/lib/x86_64-linux-gnu/libxml2.so.2+0xdf942)

Indirect leak of 112 byte(s) in 1 object(s) allocated from:
    #0 0x14e1d1ff8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14e1d192f76c in __gconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a76c)
    #2 0x14e1d192f2b7 in iconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a2b7)
    #3 0x61200002c5bf  (<unknown module>)

Indirect leak of 112 byte(s) in 1 object(s) allocated from:
    #0 0x14e1d1ff8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x14e1d192f76c in __gconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a76c)
    #2 0x14e1d192f2b7 in iconv_open (/lib/x86_64-linux-gnu/libc.so.6+0x2a2b7)
    #3 0x602000002b6f  (<unknown module>)

SUMMARY: AddressSanitizer: 66234 byte(s) leaked in 8 allocation(s).

PHP Version

8.5-dev

Operating System

No response

[devnexen]

Hi and thanks for your report however I got to admit I m rarely able to reproduce your issues recently. Is there any info missing ? nvm leak sanitizer on mac is only partially supported, I can reproduce on linux.

[chongwick]

I'll make sure to be more consistent with OS info, etc.

[nielsdos]

@chongwick This is not a PHP bug, but a libxml bug. There is a memory leak here: https://github.com/GNOME/libxml2/blame/0dd910e82bf74cdebcabe1a576f6178e0092cb5d/xmlsave.c#L2830, and a quick and dirty test of adding an xmlCharEncCloseFunc(handler); call prior to the return fixes this. I suggest you report this upstream to libxml.

[devnexen]

ah true definitively there is no php involvement in this case, should have read better the report..

[chongwick]

https://gitlab.gnome.org/GNOME/libxml2/-/issues/831

[nielsdos]

Thanks, since this is now tracked upstream, I believe we can close this.