php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66783 Double free or corruption if appending DOMDocument to element
Submitted: 2014-02-26 21:32 UTC Modified: 2021-03-12 14:51 UTC
From: mfonda@php.net Assigned: cmb (profile)
Status: Closed Package: DOM XML related
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mfonda@php.net
New email:
PHP Version: OS:

 

 [2014-02-26 21:32 UTC] mfonda@php.net
Description:
------------
Occurs when attempting to append a DOMDocument to a node within the document.

Test script:
---------------
<?php
$dom = new DomDocument;
$dom->loadXML('<root></root>');
$e = $dom->createElement('e');
$e->appendChild($dom);

Actual result:
--------------
*** glibc detected *** php: double free or corruption (!prev): 0x0000000001bff0e0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fbb1bf08b96]
/usr/lib/x86_64-linux-gnu/libxml2.so.2(xmlFreeDoc+0x169)[0x7fbb1c29cbb9]
php(php_libxml_decrement_doc_ref+0x35)[0x4a0b35]
php(dom_objects_free_storage+0x2f)[0x4c3d9f]
php(zend_objects_store_del_ref_by_handle_ex+0x257)[0x7088a7]
php(zend_objects_store_del_ref+0x13)[0x7088c3]
php(_zval_ptr_dtor+0x58)[0x6cff08]
php[0x6ecaf5]
php(zend_hash_reverse_apply+0x71)[0x6ee601]
php(shutdown_destructors+0x61)[0x6d0211]
php(zend_call_destructors+0x37)[0x6dfd07]
php(php_request_shutdown+0x385)[0x67e4f5]
php[0x78cc42]
php(main+0x531)[0x464ad1]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fbb1beab76d]
php[0x464b5d]

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-27 17:10 UTC] krakjoe@php.net
https://bugs.php.net/bug.php?id=61797

It's because of that ... if anyone has input, I'm happy to patch it ...
 [2015-07-10 16:10 UTC] cmb@php.net
Related to bug #66551.
 [2021-03-12 14:51 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-03-12 14:51 UTC] cmb@php.net
This use-after-free can easily be prevented, by following the DOM
standard, and not allowing that insertion in the first place.
 [2021-03-12 14:53 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #66783: UAF when appending DOMDocument to element
On GitHub:  https://github.com/php/php-src/pull/6765
Patch:      https://github.com/php/php-src/pull/6765.patch
 [2021-03-17 11:41 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a08847ab39bb512d500cf196981a3e8780c83600
Log: Fix #66783: UAF when appending DOMDocument to element
 [2021-03-17 11:41 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC