php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81506 malloc(): unaligned tcache chunk detected
Submitted: 2021-10-05 13:45 UTC Modified: 2023-06-04 12:12 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sjon@php.net Assigned: nielsdos (profile)
Status: Closed Package: DOM XML related
PHP Version: 8.1.0RC3 OS: archLinux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sjon@php.net
New email:
PHP Version: OS:

 

 [2021-10-05 13:45 UTC] sjon@php.net 
Description:
------------
Found this while going through bughunt, see https://3v4l.org/N6CNZ

it seems different from these two known issues #79451 and #80602

Test script:
---------------
<?php

$dom = null;
$dt = null;
$impl = null;

function doThing() {
$my_arr = [];

global $dom,$dt,$impl;

for($x = 0; $x < 7; $x++) {
$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");

array_push($my_arr, $dt, $dom, $impl);
}

$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");
}
//gc_collect_cycles();

doThing();
gc_collect_cycles();
$dom->replaceChild($dt, $dom->doctype); // FREE THE FIRST TIME!

doThing(); // fill up tcache; coimment this out for tcache double free malding
gc_collect_cycles(); // FREE AGAIN

Expected result:
----------------
no segmentation fault

Actual result:
--------------
malloc(): unaligned tcache chunk detected

Process exited with code 134.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-06-04 12:12 UTC] nielsdos@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nielsdos
 [2023-06-04 12:12 UTC] nielsdos@php.net 
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at
http://www.php.net/downloads.php

This was fixed in 8.0.24, 8.1.11 and 8.2.0, but the issue wasn't yet closed.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Mar 13 05:01:30 2025 UTC