|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2005-04-07 08:24 UTC] tony2001@php.net
[2005-04-08 18:01 UTC] rrichards@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Jan 02 13:01:30 2025 UTC |
Description: ------------ Segfaults occurs when calling DOMNode::replaceChild() if previousSibling is NULL and nextSibling is not NULL. The segfault occurs on line 1150 of ext/dom/node.c. The relevant code being: if (prevsib == NULL && nextsib == NULL) { nodep->children = newchild; nodep->last = fragment->last; } else { if (newchild) { prevsib->next = newchild; <--- segfault is here newchild->prev = prevsib; fragment->last->next = nextsib; if (nextsib) { nextsib->prev = fragment->last; } else { nodep->last = fragment->last; } } } The code doesn't check for the possibility that prevsib == NULL and nextsib != NULL. Reproduce code: --------------- <?php header('Content-type: text/plain;'); $xml = "<root><first/><second/></root>\n"; $dom = new DomDocument; $dom->loadXML($xml); $root = $dom->documentElement; $node = $dom->createElement('newfirst'); $frag = $dom->createDocumentFragment(); $frag->appendChild($node); $root->replaceChild($frag, $root->firstChild); print_r($dom->saveXML()); ?> Expected result: ---------------- <?xml version="1.0"?> <root><newfirst/><second/></root> Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 4477)] 0x403490ac in zif_dom_node_replace_child (ht=2, return_value=0x814822c, this_ptr=0x81452c4, return_value_used=0) at /home/james/php-5.0.4/ext/dom/node.c:1150 1150 prevsib->next = newchild; (gdb) bt #0 0x403490ac in zif_dom_node_replace_child (ht=2, return_value=0x814822c, this_ptr=0x81452c4, return_value_used=0) at /home/james/php-5.0.4/ext/dom/node.c:1150 #1 0x4047ac3a in zend_do_fcall_common_helper (execute_data=0xbfffb4c0, opline=0x814a310, op_array=0x81451cc) at /home/james/php-5.0.4/Zend/zend_execute.c:2727 #2 0x4047b1a7 in zend_do_fcall_by_name_handler (execute_data=0xbfffb4c0, opline=0x814a310, op_array=0x81451cc) at /home/james/php-5.0.4/Zend/zend_execute.c:2841 #3 0x40477a55 in execute (op_array=0x81451cc) at /home/james/php-5.0.4/Zend/zend_execute.c:1406 #4 0x404530e3 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/james/php-5.0.4/Zend/zend.c:1069 #5 0x404123b8 in php_execute_script (primary_file=0xbfffd820) at /home/james/php-5.0.4/main/main.c:1632 #6 0x40482442 in apache_php_module_main (r=0x8138480, display_source_mode=0) at /home/james/php-5.0.4/sapi/apache/sapi_apache.c:54 #7 0x4048310c in send_php (r=0x8138480, display_source_mode=0, filename=0x8139f88 "/var/www/html/test1.php") at /home/james/php-5.0.4/sapi/apache/mod_php5.c:622 #8 0x40483165 in send_parsed_php (r=0x8138480) at /home/james/php-5.0.4/sapi/apache/mod_php5.c:637 #9 0x0805480d in ap_invoke_handler () #10 0x08067b0c in process_request_internal () #11 0x08067b83 in ap_process_request () #12 0x0805fc97 in child_main () #13 0x0805fe3a in make_child () #14 0x0805ff7d in startup_children () #15 0x080605d0 in standalone_main () #16 0x08060ed3 in main () #17 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6