PHP :: Bug #32755 :: Segfault in replaceChild() when DocumentFragment has no children

Bug #32755	Segfault in replaceChild() when DocumentFragment has no children
Submitted:	2005-04-19 00:09 UTC	Modified:	2005-04-19 01:09 UTC
From:	james at safesearching dot com	Assigned:
Status:	Closed	Package:	DOM XML related
PHP Version:	5CVS-2005-04-18 (dev)	OS:	RedHat 7.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	james at safesearching dot com
New email:
PHP Version:		OS:

New Comment:

[2005-04-19 00:09 UTC] james at safesearching dot com

Description:
------------
Segfault occurs when calling DOMNode::replaceChild($newNode, $oldNode) if $newNode is a DocumentFragment with no children.

The segfault occurs on line 62 of ext/dom/node.c:

dom_reconcile_ns (doc=0x81aff20, nodep=0x0)
    at /home/james/php5-STABLE-200504182039/ext/dom/node.c:62
62              if (nodep->type == XML_ELEMENT_NODE) {

Code runs test against nodep->type when nodep is NULL.

Was tested on both 5.0.4 (w/ node.c,v 1.29.2.4) and 5.0.5-dev (STABLE-200504182039).

Reproduce code:
---------------
<?php

header('Content-type: text/plain;');

$xml = "<root><first/><second/></root>\n";
$dom = new DomDocument;

$dom->loadXML($xml);

$root = $dom->documentElement;
$frag = $dom->createDocumentFragment();

$root->replaceChild($frag, $root->firstChild);

print_r($dom->saveXML());

?>


Expected result:
----------------
Not exactlly sure... perhaps issue a warning indicating that the DocumentFragment object had no children and remove oldNode? Maybe generate a fatal error?

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 27878)]
dom_reconcile_ns (doc=0x81d0540, nodep=0x0)
    at /home/james/php5-STABLE-200504182039/ext/dom/node.c:62
62              if (nodep->type == NULL) {

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-04-19 00:12 UTC] james at safesearching dot com

Reproduce code didn't quite make it all the way in... full code is:

<?php

header('Content-type: text/plain;');

$xml = "<root><first/><second/></root>\n";
$dom = new DomDocument;

$dom->loadXML($xml);

$root = $dom->documentElement;
$frag = $dom->createDocumentFragment();

$root->replaceChild($frag, $root->firstChild);

print_r($dom->saveXML());

?>

[2005-04-19 01:09 UTC] rrichards@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Feb 02 18:01:29 2025 UTC