Segmentation fault in ext/dom/php_dom.c

[YuanchengJiang]

Description

The following code:

<?php
function varToString($var) {
}
$attr = new DOMAttr('category', 'books');
$script1_dataflow = $attr;
class test {
private function __clone() {
}
}
$clone = clone $script1_dataflow;

Resulted in this output:

/php-src/ext/dom/php_dom.c:597:21: runtime error: member access within null pointer of type 'php_libxml_ref_obj' (aka 'struct _php_libxml_ref_obj')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/dom/php_dom.c:597:21 in

Valgrind output:

==796071== Invalid write of size 8
==796071==    at 0x43A3E3: dom_objects_store_clone_obj (php_dom.c:596)
==796071==    by 0x8BEA67: ZEND_CLONE_SPEC_CV_HANDLER (zend_vm_execute.h:39861)
==796071==    by 0x8E4A17: execute_ex (zend_vm_execute.h:61520)
==796071==    by 0x8E5DF4: zend_execute (zend_vm_execute.h:62776)
==796071==    by 0x81E8F2: zend_execute_script (zend.c:1896)
==796071==    by 0x76C7C1: php_execute_script_ex (main.c:2499)
==796071==    by 0x76C947: php_execute_script (main.c:2539)
==796071==    by 0x9A98C7: do_cli (php_cli.c:966)
==796071==    by 0x9AA5F0: main (php_cli.c:1340)
==796071==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==796071== 
==796071== 
==796071== Process terminating with default action of signal 11 (SIGSEGV)
==796071==  Access not within mapped region at address 0x18
==796071==    at 0x43A3E3: dom_objects_store_clone_obj (php_dom.c:596)
==796071==    by 0x8BEA67: ZEND_CLONE_SPEC_CV_HANDLER (zend_vm_execute.h:39861)
==796071==    by 0x8E4A17: execute_ex (zend_vm_execute.h:61520)
==796071==    by 0x8E5DF4: zend_execute (zend_vm_execute.h:62776)
==796071==    by 0x81E8F2: zend_execute_script (zend.c:1896)
==796071==    by 0x76C7C1: php_execute_script_ex (main.c:2499)
==796071==    by 0x76C947: php_execute_script (main.c:2539)
==796071==    by 0x9A98C7: do_cli (php_cli.c:966)
==796071==    by 0x9AA5F0: main (php_cli.c:1340)

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04