Use-after-free crash when removing DOCTYPE and accessing DOM notations

[arshidkv12]

Description

The following code:

<?php
 
$doc = new DOMDocument;
$doc->loadXML(<<<'XML'
<?xml version="1.0"?>
<!DOCTYPE books [
<!NOTATION myNotation SYSTEM "test.dtd">
]>
<container/>
XML);
$notation = $doc->doctype->notations[0];
$doc->removeChild($doc->doctype);

var_dump(get_defined_vars());

Resulted in this output:

array(9) {
  ["argv"]=>
  array(1) {
    [0]=>
    string(5) "z.php"
  }
  ["argc"]=>
  int(1)
  ["_GET"]=>
  array(0) {
  }
  ["_POST"]=>
  array(0) {
  }
  ["_COOKIE"]=>
  array(0) {
  }
  ["_FILES"]=>
  array(0) {
  }
  ["_SERVER"]=>
  array(51) {
    ["TERM_SESSION_ID"]=>
    string(43) "w0t2p0:30BAD38A-D24C-463D-BD16-076130503565"
    ["SSH_AUTH_SOCK"]=>
    string(47) "/var/run/com.apple.launchd.6w3HOYvwdJ/Listeners"
    ["LC_TERMINAL_VERSION"]=>
    string(6) "3.6.10"
    ["COLORFGBG"]=>
    string(4) "15;0"
    ["ITERM_PROFILE"]=>
    string(7) "Default"
    ["SQLITE_EXEMPT_PATH_FROM_VNODE_GUARDS"]=>
    string(38) "/Users/arshid/Library/WebKit/Databases"
    ["OSLogRateLimit"]=>
    string(2) "64"
    ["XPC_FLAGS"]=>
    string(3) "0x0"
    ["LANG"]=>
    string(11) "en_US.UTF-8"
    ["PWD"]=>
    string(31) "/Users/arshid/Downloads/php-src"
    ["SHELL"]=>
    string(8) "/bin/zsh"
    ["__CFBundleIdentifier"]=>
    string(21) "com.googlecode.iterm2"
    ["TERM_FEATURES"]=>
    string(28) "T3LrMSc7UUw9Ts3BFGsSyHNoSxFP"
    ["TERM_PROGRAM_VERSION"]=>
    string(6) "3.6.10"
    ["TERM_PROGRAM"]=>
    string(9) "iTerm.app"
    ["PATH"]=>
    string(620) "/opt/homebrew/opt/llvm@18/bin:/usr/local/opt/python@3.10/bin:/Users/arshid/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/pkg/env/active/bin:/opt/pmk/env/global/bin:/opt/homebrew/bin:/Users/arshid/.cargo/bin:/Applications/iTerm.app/Contents/Resources/utilities:/Users/arshid/Library/Android/sdk/emulator:/Users/arshid/Library/Android/sdk/platform-tools"
    ["LC_TERMINAL"]=>
    string(6) "iTerm2"
    ["COLORTERM"]=>
    string(9) "truecolor"
    ["COMMAND_MODE"]=>
    string(8) "unix2003"
    ["TERM"]=>
    string(14) "xterm-256color"
    ["TERMINFO_DIRS"]=>
    string(71) "/Applications/iTerm.app/Contents/Resources/terminfo:/usr/share/terminfo"
    ["HOME"]=>
    string(13) "/Users/arshid"
    ["TMPDIR"]=>
    string(49) "/var/folders/g7/p60jwq7n6vq4nv3dkrl86h600000gn/T/"
    ["USER"]=>
    string(6) "arshid"
    ["XPC_SERVICE_NAME"]=>
    string(1) "0"
    ["LOGNAME"]=>
    string(6) "arshid"
    ["__CF_USER_TEXT_ENCODING"]=>
    string(13) "0x1F5:0x0:0x0"
    ["ITERM_SESSION_ID"]=>
    string(43) "w0t2p0:30BAD38A-D24C-463D-BD16-076130503565"
    ["SHLVL"]=>
    string(1) "1"
    ["OLDPWD"]=>
    string(23) "/Users/arshid/Downloads"
    ["P9K_TTY"]=>
    string(3) "old"
    ["_P9K_TTY"]=>
    string(12) "/dev/ttys003"
    ["ZSH"]=>
    string(24) "/Users/arshid/.oh-my-zsh"
    ["PAGER"]=>
    string(4) "less"
    ["LESS"]=>
    string(2) "-R"
    ["LSCOLORS"]=>
    string(22) "Gxfxcxdxbxegedabagacad"
    ["LS_COLORS"]=>
    string(85) "di=1;36:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43"
    ["P9K_SSH"]=>
    string(1) "0"
    ["_P9K_SSH_TTY"]=>
    string(12) "/dev/ttys003"
    ["JAVA_HOME"]=>
    string(59) "/Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home"
    ["ANDROID_HOME"]=>
    string(33) "/Users/arshid/Library/Android/sdk"
    ["_"]=>
    string(44) "/Users/arshid/Downloads/php-src/sapi/cli/php"
    ["PHP_SELF"]=>
    string(5) "z.php"
    ["SCRIPT_NAME"]=>
    string(5) "z.php"
    ["SCRIPT_FILENAME"]=>
    string(5) "z.php"
    ["PATH_TRANSLATED"]=>
    string(5) "z.php"
    ["DOCUMENT_ROOT"]=>
    string(0) ""
    ["REQUEST_TIME_FLOAT"]=>
    float(1781692415.116517)
    ["REQUEST_TIME"]=>
    int(1781692415)
    ["argv"]=>
    array(1) {
      [0]=>
      string(5) "z.php"
    }
    ["argc"]=>
    int(1)
  }
  ["doc"]=>
  object(DOMDocument)#1 (40) {
    ["doctype"]=>
    NULL
    ["implementation"]=>
    string(22) "(object value omitted)"
    ["documentElement"]=>
    string(22) "(object value omitted)"
    ["actualEncoding"]=>
    NULL
    ["encoding"]=>
    NULL
    ["xmlEncoding"]=>
    NULL
    ["standalone"]=>
    bool(false)
    ["xmlStandalone"]=>
    bool(false)
    ["version"]=>
    string(3) "1.0"
    ["xmlVersion"]=>
    string(3) "1.0"
    ["strictErrorChecking"]=>
    bool(true)
    ["documentURI"]=>
    string(32) "/Users/arshid/Downloads/php-src/"
    ["config"]=>
    NULL
    ["formatOutput"]=>
    bool(false)
    ["validateOnParse"]=>
    bool(false)
    ["resolveExternals"]=>
    bool(false)
    ["preserveWhiteSpace"]=>
    bool(true)
    ["recover"]=>
    bool(false)
    ["substituteEntities"]=>
    bool(false)
    ["firstElementChild"]=>
    string(22) "(object value omitted)"
    ["lastElementChild"]=>
    string(22) "(object value omitted)"
    ["childElementCount"]=>
    int(1)
    ["nodeName"]=>
    string(9) "#document"
    ["nodeValue"]=>
    NULL
    ["nodeType"]=>
    int(9)
    ["parentNode"]=>
    NULL
    ["parentElement"]=>
    NULL
    ["childNodes"]=>
    string(22) "(object value omitted)"
    ["firstChild"]=>
    string(22) "(object value omitted)"
    ["lastChild"]=>
    string(22) "(object value omitted)"
    ["previousSibling"]=>
    NULL
    ["nextSibling"]=>
    NULL
    ["attributes"]=>
    NULL
    ["isConnected"]=>
    bool(true)
    ["ownerDocument"]=>
    NULL
    ["namespaceURI"]=>
    NULL
    ["prefix"]=>
    string(0) ""
    ["localName"]=>
    NULL
    ["baseURI"]=>
    string(32) "/Users/arshid/Downloads/php-src/"
    ["textContent"]=>
    string(0) ""
  }
  ["notation"]=>
  =================================================================
==905==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00002d280 at pc 0x000104567bd0 bp 0x00016bca34d0 sp 0x00016bca34c8
READ of size 8 at 0x60c00002d280 thread T0
    #0 0x000104567bcc in php_dom_object_get_data php_dom.c:322
    #1 0x000104585f48 in php_dom_create_object php_dom.c:1648
    #2 0x00010453cac0 in dom_node_parent_get node.c:258
    #3 0x00010453c8fc in dom_node_parent_node_read node.c:269
    #4 0x00010458cf18 in dom_get_debug_info_helper php_dom.c:528
    #5 0x00010456fd8c in dom_get_debug_info php_dom.c:551
    #6 0x000105f335e8 in zend_std_get_properties_for zend_object_handlers.c:2612
    #7 0x000105f33bdc in zend_get_properties_for zend_object_handlers.c:2661
    #8 0x000105450d68 in php_var_dump var.c:182
    #9 0x000105451b64 in php_array_element_dump var.c:49
    #10 0x000105450728 in php_var_dump var.c:156
    #11 0x000105452c60 in zif_var_dump var.c:253
    #12 0x000105d04f8c in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_TAILCALL_HANDLER zend_vm_execute.h:54127
    #13 0x00010599dd24 in execute_ex zend_vm_execute.h:110228
    #14 0x00010599e674 in zend_execute zend_vm_execute.h:115646
    #15 0x000105fbd20c in zend_execute_script zend.c:1972
    #16 0x00010559772c in php_execute_script_ex main.c:2655
    #17 0x000105597c94 in php_execute_script main.c:2695
    #18 0x000105fc3ae8 in do_cli php_cli.c:947
    #19 0x000105fc1f34 in main php_cli.c:1370
    #20 0x00018b3c7da0 in start+0x1b4c (dyld:arm64e+0x1fda0)

0x60c00002d280 is located 0 bytes inside of 128-byte region [0x60c00002d280,0x60c00002d300)
freed by thread T0 here:
    #0 0x000108a35258 in free+0x7c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x41258)
    #1 0x00010428f908 in php_libxml_node_free libxml.c:277
    #2 0x000104295db8 in php_libxml_node_free_resource libxml.c:1448
    #3 0x000104295ed0 in php_libxml_node_decrement_resource libxml.c:1462
    #4 0x00010456f3a0 in dom_objects_free_storage php_dom.c:1496
    #5 0x000105f36e40 in zend_objects_store_del zend_objects_API.c:193
    #6 0x000105f9daa8 in rc_dtor_func zend_variables.c:56
    #7 0x000105da7e18 in i_zval_ptr_dtor zend_variables.h:44
    #8 0x000105c4e354 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_TAILCALL_HANDLER zend_vm_execute.h:54861
    #9 0x00010599dd24 in execute_ex zend_vm_execute.h:110228
    #10 0x00010599e674 in zend_execute zend_vm_execute.h:115646
    #11 0x000105fbd20c in zend_execute_script zend.c:1972
    #12 0x00010559772c in php_execute_script_ex main.c:2655
    #13 0x000105597c94 in php_execute_script main.c:2695
    #14 0x000105fc3ae8 in do_cli php_cli.c:947
    #15 0x000105fc1f34 in main php_cli.c:1370
    #16 0x00018b3c7da0 in start+0x1b4c (dyld:arm64e+0x1fda0)

previously allocated by thread T0 here:
    #0 0x000108a35164 in malloc+0x78 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x41164)
    #1 0x00018b594658 in _malloc_type_malloc_outlined+0x40 (libsystem_malloc.dylib:arm64e+0x1e658)
    #2 0x000196054440 in xmlCreateIntSubset+0x64 (libxml2.2.dylib:arm64e+0x9440)
    #3 0x00019605435c in xmlSAX2InternalSubset+0x70 (libxml2.2.dylib:arm64e+0x935c)
    #4 0x000196052a54 in xmlParseDocTypeDecl+0xe0 (libxml2.2.dylib:arm64e+0x7a54)
    #5 0x000196067bf4 in xmlParseDocument+0x2a4 (libxml2.2.dylib:arm64e+0x1cbf4)
    #6 0x0001044e4fac in dom_document_parser document.c:1455
    #7 0x0001044e5ae4 in dom_parse_document document.c:1541
    #8 0x0001044e5bf4 in zim_DOMDocument_loadXML document.c:1562
    #9 0x000105c4dc10 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_TAILCALL_HANDLER zend_vm_execute.h:54821
    #10 0x00010599dd24 in execute_ex zend_vm_execute.h:110228
    #11 0x00010599e674 in zend_execute zend_vm_execute.h:115646
    #12 0x000105fbd20c in zend_execute_script zend.c:1972
    #13 0x00010559772c in php_execute_script_ex main.c:2655
    #14 0x000105597c94 in php_execute_script main.c:2695
    #15 0x000105fc3ae8 in do_cli php_cli.c:947
    #16 0x000105fc1f34 in main php_cli.c:1370
    #17 0x00018b3c7da0 in start+0x1b4c (dyld:arm64e+0x1fda0)

SUMMARY: AddressSanitizer: heap-use-after-free php_dom.c:322 in php_dom_object_get_data
Shadow bytes around the buggy address:
  0x60c00002d000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x60c00002d080: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x60c00002d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x60c00002d180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x60c00002d200: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
=>0x60c00002d280:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x60c00002d300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x60c00002d380: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x60c00002d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60c00002d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60c00002d500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==905==ABORTING

PHP Version

PHP 8.6.0-dev (cli) (built: Jun 17 2026 13:26:42) (NTS DEBUG)
Copyright © The PHP Group and Contributors
Zend Engine v4.6.0-dev, Copyright © Zend by Perforce
    with Zend OPcache v8.6.0-dev, Copyright ©, by Zend by Perforce

Operating System

No response

[iliaal]

Duplicate of #21952, which has an open fix in #21955.

[LamentXU123]

Duplicate of #21952, which has an open fix in #21955.

You are faster than me to mention this :) 😀