From a0a7361b648eb3f528c2d22c4ac708f9bd01a336 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 21 Oct 2024 19:40:55 +0200 Subject: [PATCH 1/2] Fix GH-16533: Segfault when adding attribute to parent that is not an element Attributes are only valid as children of elements. This bug goes back all the way. Closes GH-16537. --- NEWS | 2 ++ ext/dom/node.c | 5 +++++ ext/dom/tests/gh16533.phpt | 20 ++++++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 ext/dom/tests/gh16533.phpt diff --git a/NEWS b/NEWS index b28d0dafb82..428dcaf71c8 100644 --- a/NEWS +++ b/NEWS @@ -30,6 +30,8 @@ PHP NEWS . Fixed bug GH-16316 (DOMXPath breaks when not initialized properly). (nielsdos) . Fixed bug GH-16473 (dom_import_simplexml stub is wrong). (nielsdos) + . Fixed bug GH-16533 (Segfault when adding attribute to parent that is not + an element). (nielsdos) - EXIF: . Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a diff --git a/ext/dom/node.c b/ext/dom/node.c index bb80408f268..4be876c4943 100644 --- a/ext/dom/node.c +++ b/ext/dom/node.c @@ -872,6 +872,11 @@ static bool dom_node_check_legacy_insertion_validity(xmlNodePtr parentp, xmlNode php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror); return false; } + /* Attributes must be in elements. */ + if (child->type == XML_ATTRIBUTE_NODE && parentp->type != XML_ELEMENT_NODE) { + php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror); + return false; + } return true; } diff --git a/ext/dom/tests/gh16533.phpt b/ext/dom/tests/gh16533.phpt new file mode 100644 index 00000000000..dad40e88b4d --- /dev/null +++ b/ext/dom/tests/gh16533.phpt @@ -0,0 +1,20 @@ +--TEST-- +GH-16533 (Segfault when adding attribute to parent that is not an element) +--EXTENSIONS-- +dom +--FILE-- +appendChild($doc->createAttribute('foo')); +} catch (DOMException $e) { + echo $e->getMessage(), "\n"; +} + +echo $doc->saveXML(); + +?> +--EXPECT-- +Hierarchy Request Error + From 51b642f2c9dcb976b10e7557f5e21b020b94c7f0 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 21 Oct 2024 19:53:54 +0200 Subject: [PATCH 2/2] Fix GH-16535: UAF when using document as a child Documents can never be children of any node. Closes GH-16539. --- NEWS | 1 + ext/dom/node.c | 6 ++++++ ext/dom/tests/gh16535.phpt | 25 +++++++++++++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 ext/dom/tests/gh16535.phpt diff --git a/NEWS b/NEWS index 428dcaf71c8..eb434beaf23 100644 --- a/NEWS +++ b/NEWS @@ -32,6 +32,7 @@ PHP NEWS . Fixed bug GH-16473 (dom_import_simplexml stub is wrong). (nielsdos) . Fixed bug GH-16533 (Segfault when adding attribute to parent that is not an element). (nielsdos) + . Fixed bug GH-16535 (UAF when using document as a child). (nielsdos) - EXIF: . Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a diff --git a/ext/dom/node.c b/ext/dom/node.c index 4be876c4943..a8e3b035d14 100644 --- a/ext/dom/node.c +++ b/ext/dom/node.c @@ -878,6 +878,12 @@ static bool dom_node_check_legacy_insertion_validity(xmlNodePtr parentp, xmlNode return false; } + /* Documents can never be a child. */ + if (child->type == XML_DOCUMENT_NODE || child->type == XML_HTML_DOCUMENT_NODE) { + php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror); + return false; + } + return true; } diff --git a/ext/dom/tests/gh16535.phpt b/ext/dom/tests/gh16535.phpt new file mode 100644 index 00000000000..1c8d282303c --- /dev/null +++ b/ext/dom/tests/gh16535.phpt @@ -0,0 +1,25 @@ +--TEST-- +GH-16535 (UAF when using document as a child) +--EXTENSIONS-- +dom +--FILE-- +loadHTML("t"); +$v4 = $v2->createElement('foo'); +try { + $v4->appendChild($v2); +} catch (DOMException $e) { + echo $e->getMessage(), "\n"; +} +$v2->loadHTML("oU"); +echo $v2->saveXML(); + +?> +--EXPECT-- +Hierarchy Request Error + + +

oU