php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45251 double free or corruption with setAttributeNode()
Submitted: 2008-06-12 19:46 UTC Modified: 2008-06-14 11:28 UTC
From: ms419 at freezone dot co dot uk Assigned: rrichards (profile)
Status: Closed Package: DOM XML related
PHP Version: 5.2.6 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ms419 at freezone dot co dot uk
New email:
PHP Version: OS:

 

 [2008-06-12 19:46 UTC] ms419 at freezone dot co dot uk 
Description:
------------
I get the following double free or corruption when trying to add attributes of one DOMElement to another DOMElement with setAttributeNode()

Reproduce code:
---------------
<?php

$doc = new DOMDocument;
$doc->loadXml(<<<EOF
<?xml version="1.0" encoding="utf-8" ?>
<aaa>
  <bbb foo="bar"/>
</aaa>
EOF
);

$xpath = new DOMXPath($doc);

$bbb = $xpath->query('bbb', $doc->documentElement)->item(0);

$ccc = $doc->createElement('ccc');
foreach ($bbb->attributes as $attr)
{
  $ccc->setAttributeNode($attr);
}


Expected result:
----------------
No double free or corruption

Actual result:
--------------
ket% php test.php
*** glibc detected *** php: double free or corruption (fasttop): 0x09ed5280 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb79ba614]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb79bc816]
/usr/lib/libxml2.so.2(xmlFreeProp+0x9b)[0xb7aed17b]
/usr/lib/libxml2.so.2(xmlFreePropList+0x1b)[0xb7aed3bb]
/usr/lib/libxml2.so.2(xmlFreeNodeList+0xba)[0xb7aecaea]
/usr/lib/libxml2.so.2(xmlFreeNodeList+0x97)[0xb7aecac7]
/usr/lib/libxml2.so.2(xmlFreeDoc+0xbc)[0xb7aec90c]
php(php_libxml_decrement_doc_ref+0x5a)[0x8098cea]
php(dom_objects_free_storage+0x70)[0x80de820]
php(zend_objects_store_del_ref_by_handle+0x1cb)[0x82df80b]
php(zend_objects_store_del_ref+0x28)[0x82df858]
php(_zval_dtor_func+0x71)[0x82bfbc1]
php(_zval_ptr_dtor+0x78)[0x82b28f8]
php[0x82caed5]
php(zend_hash_reverse_apply+0x6e)[0x82cafde]
php(shutdown_destructors+0x7c)[0x82b280c]
php(zend_call_destructors+0x44)[0x82c0354]
php(php_request_shutdown+0x2fc)[0x8277b2c]
php(main+0x5f7)[0x83528b7]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7962455]
php[0x8097cb1]
======= Memory map: ========
08048000-08521000 r-xp 00000000 fe:00 6182198    /usr/bin/php5
08521000-08558000 rw-p 004d8000 fe:00 6182198    /usr/bin/php5
08558000-0855d000 rw-p 08558000 00:00 0
09d65000-09ef2000 rw-p 09d65000 00:00 0          [heap]
b6621000-b662d000 r-xp 00000000 fe:00 4866377    /lib/libgcc_s.so.1
b662d000-b662e000 rw-p 0000b000 fe:00 4866377    /lib/libgcc_s.so.1
b662e000-b662f000 ---p b662e000 00:00 0
b662f000-b6e2f000 rw-p b662f000 00:00 0
b6e2f000-b6e39000 r-xp 00000000 fe:00 4867708    /lib/i686/cmov/libnss_files-2.7.so
b6e39000-b6e3b000 rw-p 00009000 fe:00 4867708    /lib/i686/cmov/libnss_files-2.7.so
b6e3b000-b6e4b000 r-xp 00000000 fe:00 6179047    /usr/lib/libexslt.so.0.8.13
b6e4b000-b6e4c000 rw-p 0000f000 fe:00 6179047    /usr/lib/libexslt.so.0.8.13
b6e5e000-b6e79000 r-xp 00000000 fe:00 6619204    /usr/lib/php5/20060613+lfs/syck.so
b6e79000-b6e7a000 rw-p 0001b000 fe:00 6619204    /usr/lib/php5/20060613+lfs/syck.so
b6e7a000-b6e81000 r-xp 00000000 fe:00 4867730    /lib/i686/cmov/librt-2.7.so
b6e81000-b6e83000 rw-p 00006000 fe:00 4867730    /lib/i686/cmov/librt-2.7.so
b6e83000-b6ea3000 r-xp 00000000 fe:00 6180976    /usr/lib/libssh2.so.1.0.0
b6ea3000-b6ea4000 rw-p 0001f000 fe:00 6180976    /usr/lib/libssh2.so.1.0.0
b6ea4000-b6ed4000 r-xp 00000000 fe:00 6177806    /usr/lib/libidn.so.11.5.37
b6ed4000-b6ed5000 rw-p 00030000 fe:00 6177806    /usr/lib/libidn.so.11.5.37
b6ed5000-b6f08000 r-xp 00000000 fe:00 6179058    /usr/lib/libxslt.so.1.1.24
b6f08000-b6f09000 rw-p 00033000 fe:00 6179058    /usr/lib/libxslt.so.1.1.24
b6f09000-b6f4b000 r-xp 00000000 fe:00 6176997    /usr/lib/libcurl.so.4.1.0
b6f4b000-b6f4c000 rw-p 00041000 fe:00 6176997    /usr/lib/libcurl.so.4.1.0
b6f4c000-b6f4d000 rw-p b6f4c000 00:00 0
b6f4d000-b6f8f000 r-xp 00000000 fe:00 6178279    /usr/lib/libgmp.so.3.4.2
b6f8f000-b6f90000 rw-p 00042000 fe:00 6178279    /usr/lib/libgmp.so.3.4.2
b6f90000-b6fad000 r-xp 00000000 fe:00 6192008    /usr/lib/libpq.so.5.1
b6fad000-b6fae000 rw-p 0001d000 fe:00 6192008    /usr/lib/libpq.so.5.1
b6fae000-b7007000 r-xp 00000000 fe:00 6179774    /usr/lib/libsqlite3.so.0.8.6
b7007000-b7009000 rw-p 00058000 fe:00 6179774    /usr/lib/libsqlite3.so.0.8.6
b7009000-b71aa000 r-xp 00000000 fe:00 6176862    /usr/lib/libmysqlclient.so.15.0.0
b71aa000-b71ee000 rw-p 001a0000 fe:00 6176862    /usr/lib/libmysqlclient.so.15.0.0
b71ee000-b71ef000 rw-p b71ee000 00:00 0
b71ef000-b7240000 r-xp 00000000 fe:00 5904125    /usr/lib/libraptor.so.1.1.0
b7240000-b7242000 rw-p 00051000 fe:00 5904125    /usr/lib/libraptor.so.1.1.0
b7242000-b7273000 r-xp 00000000 fe:00 6180883    /usr/lib/librasqal.so.0.0.0
b7273000-b7274000 rw-p 00031000 fe:00 6180883    /usr/lib/librasqal.so.0.0.0
b7274000-b72b0000 r-xp 00000000 fe:00 6179811    /usr/lib/librdf.so.0.0.0
b72b0000-b72b1000 rw-p 0003b000 fe:00 6179811    /usr/lib/librdf.so.0.0.0
b72b1000-b72ce000 r-xp 00000000 fe:00 10551743   /usr/lib/php5/20060613+lfs/redland.so
b72ce000-b72d0000 rw-p 0001d000 fe:00 10551743   /usr/lib/php5/20060613+lfs/redland.so
b72d0000-b72e3000 r-xp 00000000 fe:00 6619220    /usr/lib/php5/20060613+lfs/pdo.so
b72e3000-b72e5000 rw-p 00013000 fe:00 6619220    /usr/lib/php5/20060613+lfs/pdo.so
b72e5000-b72fc000 r-xp 00000000 fe:00 6620354    /usr/lib/php5/20060613+lfs/mysqli.so
b72fc000-b72fe000 rw-p 00016000 fe:00 6620354    /usr/lib/php5/20060613+lfs/mysqli.so
b72fe000-b74a1000 r-xp 00000000 fe:00 6176776    /usr/lib/libmysqlclient_r.so.15.0.0
b74a1000-b74e5000 rw-p 001a2000 fe:00 6176776    /usr/lib/libmysqlclient_r.so.15.0.0
b74e5000-b74e6000 rw-p b74e5000 00:00 0
b74ec000-b74f0000 r-xp 00000000 fe:00 6179097    /usr/lib/libnss_db-2.2.3.so
b74f0000-b74f1000 rw-p 00004000 fe:00 6179097    /usr/lib/libnss_db-2.2.3.so
b74f1000-b74f7000 r-xp 00000000 fe:00 6619221    /usr/lib/php5/20060613+lfs/xsl.so
b74f7000-b74f8000 rw-p 00005000 fe:00 6619221    /usr/lib/php5/20060613+lfs/xsl.so
b74f8000-b755e000 r-xp 00000000 fe:00 6181413    /usr/lib/libgcrypt.so.11.4.4
b755e000-b7560000 rw-p 00066000 fe:00 6181413    /usr/lib/libgcrypt.so.11.4.4
b7560000-b756f000 r-xp 00000000 fe:00 6178892    /usr/lib/libtasn1.so.3.0.15
b756f000-b7570000 rw-p 0000e000 fe:00 6178892    /usr/lib/libtasn1.so.3.0.15
b7570000-b75e3000 r-xp 00000000 fe:00 6186627    /usr/lib/libgnutls.so.26.1.6
b75e3000-b75e9000 rw-p 00072000 fe:00 6186627    /usr/lib/libgnutls.so.26.1.6
b75e9000-b75f5000 r-xp 00000000 fe:00 6178125    /usr/lib/liblber-2.4.so.2.0.5
b75f5000-b75f6000 rw-p 0000c000 fe:00 6178125    /usr/lib/liblber-2.4.so.2.0.5
b75f6000-b7634000 r-xp 00000000 fe:00 6182027    /usr/lib/libldap_r-2.4.so.2.0.5
b7634000-b7636000 rw-p 0003d000 fe:00 6182027    /usr/lib/libldap_r-2.4.so.2.0.5
b7636000-b7637000 rw-p b7636000 00:00 0
b7637000-b764d000 r-xp 00000000 fe:00 6177723    /usr/lib/libsasl2.so.2.0.22
b764d000-b764e000 rw-p 00015000 fe:00 6177723    /usr/lib/libsasl2.so.2.0.22
b764e000-b7654000 r-xp 00000000 fe:00 6620355    /usr/lib/php5/20060613+lfs/pdo_mysql.so
b7654000-b7655000 rw-p 00005000 fe:00 6620355    /usr/lib/php5/20060613+lfs/pdo_mysql.so
b7655000-b765f000 r-xp 00zsh: abort      php test.php
ket%

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-12 20:41 UTC] rrichards@php.net 
assign to self
 [2008-06-14 11:28 UTC] rrichards@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC