PHP :: Bug #79968 :: DOMText::before() crashes

Bug #79968	DOMText::before() crashes
Submitted:	2020-08-13 11:06 UTC	Modified:	2020-08-13 11:06 UTC
From:	nikic@php.net	Assigned:	beberlei (profile)
Status:	Closed	Package:	DOM XML related
PHP Version:	8.0.0beta1	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2020-08-13 11:06 UTC] nikic@php.net

Description:
------------
<?php
$cdata = new DOMText;
$cdata->before(null);

==441255== Invalid read of size 4
==441255==    at 0x488E30: dom_zvals_to_fragment (parentnode.c:137)
==441255==    by 0x489514: dom_parent_node_before (parentnode.c:339)
==441255==    by 0x494744: zim_DOMCharacterData_before (characterdata.c:428)
==441255==    by 0x9FA8B4: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1618)
==441255==    by 0xA678B8: execute_ex (zend_vm_execute.h:53562)
==441255==    by 0xA6CA21: zend_execute (zend_vm_execute.h:57766)
==441255==    by 0x9C134B: zend_execute_scripts (zend.c:1696)
==441255==    by 0x923E4E: php_execute_script (main.c:2535)
==441255==    by 0xAABE2F: do_cli (php_cli.c:949)
==441255==    by 0xAACE6E: main (php_cli.c:1336)
==441255==  Address 0x8 is not stack'd, malloc'd or (recently) free'd

Patches

Pull Requests

Pull requests:

Fix #79968: Manipulation on unattached DOMChildNode should throw DOMException (php-src/5990)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-08-13 11:06 UTC] nikic@php.net

-Assigned To: +Assigned To: beberlei

[2020-08-15 08:38 UTC] beberlei@php.net

According to the spec, for an element that has its hierachy preconditions fail an exception should be thrown:

node . before(...nodes)

    Inserts nodes just before node, while replacing strings in nodes with equivalent Text nodes.

    Throws a "HierarchyRequestError" DOMException if the constraints of the node tree are violated.

It looks this is not implemented and causes the segfault.

[2020-08-15 08:54 UTC] beberlei@php.net

The following pull request has been associated:

Patch Name: Fix #79968: Manipulation on unattached DOMChildNode should throw DOMException
On GitHub:  https://github.com/php/php-src/pull/5990
Patch:      https://github.com/php/php-src/pull/5990.patch

[2020-08-19 09:55 UTC] beberlei@php.net

Automatic comment on behalf of kontakt@beberlei.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f6820f7f1bfde876cb91bfd473f6d8b679fc474
Log: Fix #79968: Manipulation on unattached DOMChildNode should throw DOMException

[2020-08-19 09:55 UTC] beberlei@php.net

-Status: Assigned +Status: Closed

[2020-08-19 10:20 UTC] beberlei@php.net

Automatic comment on behalf of kontakt@beberlei.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a34fd4d590b36a9c42bb7e65c51202ef951afbdf
Log: Update NEWS w.r.t to bugfix #79968

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 20:00:01 2025 UTC