Closed
Description
Description
Attached is php code:
<?php
$sx1 = new SimpleXMLElement("<root />");
$sx1->node[0] = 'node1';
$node = $sx1->node[0];
$node[0] = 'ÂÂc'; // contains repeated byte \xC2
print $sx1->asXML();
?>Resulted in this output:
=================================================================
==3614420==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000000 at pc 0x560456f4c11d bp 0x7ffff6e00130 sp 0x7ffff6e00120
READ of size 8 at 0x603000000000 thread T0
#0 0x560456f4c11c in zend_mm_free_heap /home/benchmarks/php/program/Zend/zend_alloc.c:1540
#1 0x560456f4c11c in _efree /home/benchmarks/php/program/Zend/zend_alloc.c:2773
#2 0x5604570ce77c in zval_ptr_dtor_nogc /home/benchmarks/php/program/Zend/zend_variables.h:36
#3 0x5604570ce77c in ZEND_ECHO_SPEC_TMPVAR_HANDLER /home/benchmarks/php/program/Zend/zend_vm_execute.h:15166
#4 0x5604573585fa in execute_ex /home/benchmarks/php/program/Zend/zend_vm_execute.h:60745
#5 0x5604573bd364 in zend_execute /home/benchmarks/php/program/Zend/zend_vm_execute.h:64334
#6 0x56045757fd0f in zend_execute_script /home/benchmarks/php/program/Zend/zend.c:1943
#7 0x560456d2423f in php_execute_script_ex /home/benchmarks/php/program/main/main.c:2594
#8 0x560457585df8 in do_cli /home/benchmarks/php/program/sapi/cli/php_cli.c:952
#9 0x5604561264d0 in main /home/benchmarks/php/program/sapi/cli/php_cli.c:1363
#10 0x7f2eb21e2082 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#11 0x560456126e7d in _start (/home/benchmarks/php/program/sapi/cli/php+0x2123e7d)
0x603000000000 is located 16 bytes to the left of 22-byte region [0x603000000010,0x603000000026)
allocated by thread T0 here:
#0 0x7f2eb320e3ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
#1 0x5604575a6751 in save_ps_args /home/benchmarks/php/program/sapi/cli/ps_title.c:200
#2 0x560456125d60 in main /home/benchmarks/php/program/sapi/cli/php_cli.c:1217
#3 0x7f2eb21e2082 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/benchmarks/php/program/Zend/zend_alloc.c:1540 in zend_mm_free_heap
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000:[fa]fa 00 00 06 fa fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8010: 00 04 fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
0x0c067fff8020: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff8030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8040: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3614420==ABORTING
But I expected this output instead:
<?xml version="1.0" encoding="ISO-8859-1"?>
<root><node>??c</node></root>
To reproduce:
./php-src/sapi/cli/php input.php
Commit:
2d6b869
PHP Version
PHP 8.5.0-dev (cli) (built: May 19 2025 07:57:48) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.5.0-dev, Copyright (c) Zend Technologies
Operating System
Ubuntu 20.04