PHP :: Bug #66783 :: Double free or corruption if appending DOMDocument to element

Bug #66783	Double free or corruption if appending DOMDocument to element
Submitted:	2014-02-26 21:32 UTC	Modified:	2021-03-12 14:51 UTC
From:	mfonda@php.net	Assigned:	cmb (profile)
Status:	Closed	Package:	DOM XML related
PHP Version:	Irrelevant	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mfonda@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-02-26 21:32 UTC] mfonda@php.net

Description:
------------
Occurs when attempting to append a DOMDocument to a node within the document.

Test script:
---------------
<?php
$dom = new DomDocument;
$dom->loadXML('<root></root>');
$e = $dom->createElement('e');
$e->appendChild($dom);

Actual result:
--------------
*** glibc detected *** php: double free or corruption (!prev): 0x0000000001bff0e0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fbb1bf08b96]
/usr/lib/x86_64-linux-gnu/libxml2.so.2(xmlFreeDoc+0x169)[0x7fbb1c29cbb9]
php(php_libxml_decrement_doc_ref+0x35)[0x4a0b35]
php(dom_objects_free_storage+0x2f)[0x4c3d9f]
php(zend_objects_store_del_ref_by_handle_ex+0x257)[0x7088a7]
php(zend_objects_store_del_ref+0x13)[0x7088c3]
php(_zval_ptr_dtor+0x58)[0x6cff08]
php[0x6ecaf5]
php(zend_hash_reverse_apply+0x71)[0x6ee601]
php(shutdown_destructors+0x61)[0x6d0211]
php(zend_call_destructors+0x37)[0x6dfd07]
php(php_request_shutdown+0x385)[0x67e4f5]
php[0x78cc42]
php(main+0x531)[0x464ad1]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fbb1beab76d]
php[0x464b5d]

Patches

Pull Requests

Pull requests:

Fix #66783: UAF when appending DOMDocument to element (php-src/6765)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-02-27 17:10 UTC] krakjoe@php.net

https://bugs.php.net/bug.php?id=61797

It's because of that ... if anyone has input, I'm happy to patch it ...

[2015-07-10 16:10 UTC] cmb@php.net

Related to bug #66551.

[2021-03-12 14:51 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2021-03-12 14:51 UTC] cmb@php.net

This use-after-free can easily be prevented, by following the DOM
standard, and not allowing that insertion in the first place.

[2021-03-12 14:53 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #66783: UAF when appending DOMDocument to element
On GitHub:  https://github.com/php/php-src/pull/6765
Patch:      https://github.com/php/php-src/pull/6765.patch

[2021-03-12 15:14 UTC] cmb@php.net

Related To: Bug #66551

[2021-03-17 11:41 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a08847ab39bb512d500cf196981a3e8780c83600
Log: Fix #66783: UAF when appending DOMDocument to element

[2021-03-17 11:41 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2021-04-02 14:23 UTC] cmb@php.net

Related To: Bug #80927

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 11 04:01:28 2025 UTC