Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit

[YuanchengJiang]

Description

The following code:

<?php
function createParser(bool $huge) {
    $parser = xml_parser_create();
    xml_parser_set_option($parser, XML_OPTION_PARSE_HUGE, $huge);
    xml_set_element_handler($parser, function($parser, $data) {
    }, function($parser, $data) {
    });
    return $parser;
}
// Construct XML that is too large to parse without XML_OPTION_PARSE_HUGE
$long_text = str_repeat("A", 1000 * 1000 * 5 /* 5 MB */);
$long_xml_head = "<?xml version=\"1.0\"?><container><$long_text/><$long_text/><second>foo</second>";
$long_xml_tail = "</container>";
$parser = createParser(false);
$ret = xml_parse($parser, $long_xml_head, true);
echo "ret = $ret (", xml_error_string(xml_get_error_code($parser)), ")\n";
$parser = createParser(true);
$ret = xml_parse($parser, $long_xml_head, false);
$parser = createParser(true);
$ret = xml_parse_into_struct($parser, $long_xml_head . $long_xml_tail, $values, $index);
?>

Resulted in this output:

ret = 0 (XML_ERR_NAME_REQUIRED)

Fatal error: Allowed memory size of 34603008 bytes exhausted at /php-src/Zend/zend_string.h:176 (tried to allocate 5000032 bytes) in ./test.php on line 20
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2886881==ERROR: AddressSanitizer: SEGV on unknown address 0x0001ffff8041 (pc 0x55f2c377c0ab bp 0x7ffeb917e630 sp 0x7ffeb917e570 T0)
==2886881==The signal is caused by a READ memory access.
    #0 0x55f2c377c0ab in zend_mm_free_heap /php-src/Zend/zend_alloc.c:1431:28
    #1 0x55f2c3780951 in _efree /php-src/Zend/zend_alloc.c:2600:2
    #2 0x55f2c34a76d2 in xml_parser_free_ltags /php-src/ext/xml/xml.c:324:4
    #3 0x55f2c347d3d2 in xml_parser_free_obj /php-src/ext/xml/xml.c:336:2
    #4 0x55f2c4381d2b in zend_objects_store_free_object_storage /php-src/Zend/zend_objects_API.c:122:6
    #5 0x55f2c38b8399 in zend_shutdown_executor_values /php-src/Zend/zend_execute_API.c:401:2
    #6 0x55f2c38b97be in shutdown_executor /php-src/Zend/zend_execute_API.c:418:2
    #7 0x55f2c3989343 in zend_deactivate /php-src/Zend/zend.c:1311:2
    #8 0x55f2c34f319f in php_request_shutdown /php-src/main/main.c:1894:2
    #9 0x55f2c48c9868 in do_cli /php-src/sapi/cli/php_cli.c:1136:3
    #10 0x55f2c48c3b02 in main /php-src/sapi/cli/php_cli.c:1340:18
    #11 0x7f860337ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f860337ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x55f2c18031f4 in _start (/php-src/sapi/cli/php+0x1c031f4) (BuildId: 4b2c3013b167e0ff55e0ad4f26ad7d3438ee4f65)

AddressSanitizer can not provide additional info.

To reproduce:

USE_ZEND_ALLOC=1 /WorkSpace/phptest/php-src/sapi/cli/php -d "memory_limit=33M" ./test.php

Setting memory_limit to 25M or 50M outputs leaked memory:

==2935312==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 5000001 byte(s) in 1 object(s) allocated from:
    #0 0x55ef07c88c1e in malloc (/php-src/sapi/cli/php+0x1c88c1e) (BuildId: 4b2c3013b167e0ff55e0ad4f26ad7d3438ee4f65)
    #1 0x7f5e94e917f2 in xmlStrdup (/lib/x86_64-linux-gnu/libxml2.so.2+0xe37f2) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)

SUMMARY: AddressSanitizer: 5000001 byte(s) leaked in 1 allocation(s)

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[ghost]

I get the same bug today:

Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit

is there a way to get passed this?

[nielsdos]

I get the same bug today:

Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit

is there a way to get passed this?

Increasing the memory limit. Otherwise, waiting for next release.
If you're table to build PHP yourself you can manually apply the patch from #14126