\Uri\WhatWg\Url crashes (SEGV) when parsing malformed URL due to Lexbor memory corruption

[vi3tL0u1s]

Description

The following code:

<?php
foreach (get_declared_classes() as$$cxass) {
    try {
      $h	>= $a[0] = $tokens = $n = $n[++$x] =  $a . unserialize(serialize($GLOBALS));
      $a[0] =/////
      new Uri\WhatWg\Url("ftp:1;++0tgts645311:115\\\\\\\\1;++0tgts645311:115\\\\\\\\.\\\\\\\\\\\\\\\\\n2: {@ $value =& $tjis;$$thxs->///2:1::///#///////////PPPg");
    } catch (Throwable)	{}
}

Resulted in this output:

=================================================================
==407285==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_descriptions.cpp:80 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    #0 0x7ff78903d9a8 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cpp:74
    #1 0x7ff78905e32e in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:78
    #2 0x7ff788fada77 in GetShadowKind ../../../../src/libsanitizer/asan/asan_descriptions.cpp:80
    #3 0x7ff788fada77 in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:96
    #4 0x7ff788fada77 in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:93
    #5 0x7ff788faf296 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:441
    #6 0x7ff788fb1a84 in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) ../../../../src/libsanitizer/asan/asan_errors.cpp:389
    #7 0x7ff78903cfc5 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cpp:476
    #8 0x7ff789033c4f in __asan_memset ../../../../src/libsanitizer/asan/asan_interceptors_memintrinsics.cpp:26
    #9 0x564463f748ba in lexbor_mraw_calloc ext/lexbor/lexbor/core/mraw.c:232
    #10 0x5644640b2485 in lxb_url_parse_basic_h ext/lexbor/lexbor/url/url.c:1306
    #11 0x5644640b2165 in lxb_url_parse_basic ext/lexbor/lexbor/url/url.c:1269
    #12 0x5644640b20ea in lxb_url_parse ext/lexbor/lexbor/url/url.c:1256
    #13 0x564464b013f4 in php_uri_parser_whatwg_parse_ex /path/to/php-src/ext/uri/uri_parser_whatwg.c:568
    #14 0x564464b0172e in php_uri_parser_whatwg_parse /path/to/php-src/ext/uri/uri_parser_whatwg.c:590
    #15 0x564464af2e7a in uri_unserialize /path/to/php-src/ext/uri/php_uri.c:848
    #16 0x564464af4c8c in zim_Uri_WhatWg_Url___unserialize /path/to/php-src/ext/uri/php_uri.c:998
    #17 0x564464f27457 in zend_call_function /path/to/php-src/Zend/zend_execute_API.c:1027
    #18 0x564464f29242 in zend_call_known_function /path/to/php-src/Zend/zend_execute_API.c:1108
    #19 0x564464a9598a in zend_call_known_instance_method Zend/zend_API.h:862
    #20 0x564464a8da01 in zend_call_known_instance_method_with_1_params Zend/zend_API.h:874
    #21 0x564464a8c951 in var_destroy ext/standard/var_unserializer.re:295
    #22 0x564464a8b8c6 in php_var_unserialize_destroy ext/standard/var_unserializer.re:87
    #23 0x564464aa9c47 in php_unserialize_with_options /path/to/php-src/ext/standard/var.c:1493
    #24 0x564464aaaadf in zif_unserialize /path/to/php-src/ext/standard/var.c:1517
    #25 0x5644650e1691 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER Zend/zend_vm_execute.h:1421
    #26 0x564464f4ca02 in execute_ex Zend/zend_vm_execute.h:116212
    #27 0x564464f4d307 in zend_execute Zend/zend_vm_execute.h:121924
    #28 0x56446536c780 in zend_execute_script /path/to/php-src/Zend/zend.c:1975
    #29 0x564464ba1e43 in php_execute_script_ex /path/to/php-src/main/main.c:2645
    #30 0x564464ba22ae in php_execute_script /path/to/php-src/main/main.c:2685
    #31 0x564465375266 in do_cli /path/to/php-src/sapi/cli/php_cli.c:951
    #32 0x5644653779d6 in main /path/to/php-src/sapi/cli/php_cli.c:1362
    #33 0x7ff788899d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #34 0x7ff788899e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #35 0x564463a03ff4 in _start (/path/to/php-src/sapi/cli/php+0x603ff4)

Commit:

035f95cf5e016236cca11bc293dc04d40b40e45c

Build configuration:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./buildconf --force && ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic --enable-mbstring --with-zlib

PHP Version

PHP 8.6.0-dev (cli) (built: Nov 16 2025 19:51:33) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[TimWolla]

Simplest reproducer of some memory unsafety that I managed:

<?php
for ($i = 0;; $i++) {
    echo $i, PHP_EOL;
    $a = new Uri\WhatWg\Url('ftp:a\\aaaaaaaaaaaaaaaaaaaaaa\\\\.\\\\\\\\aaaaaaaaaaaaaa#aaaaaaaaaaaaaaa');
}

[TimWolla]

Reported upstream at lexbor/lexbor#319.