php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33059 crash when moving xml attribute set in dtd
Submitted: 2005-05-18 21:08 UTC Modified: 2005-05-19 15:47 UTC
From: dikrib at hotmail dot com Assigned:
Status: Closed Package: DOM XML related
PHP Version: 5.0.4 OS: Windows XP
Private report: No CVE-ID: None
 [2005-05-18 21:08 UTC] dikrib at hotmail dot com
Description:
------------
If I try to remove an attribute from an xml document using the dom, where the xml document is validated against a doctype, and the dtd specifies a default value for the attribute, PHP crashes if the attribute is not defined.

My guess is that the default value is receaved from the dtd, and php therefore beleaves that the attribute exists and passes the error checking, that should have caused the removeAttribute property to return false.

Tested on PHP 5.0.4 and php5.0-win32-200505181630

Reproduce code:
---------------
<?php
$doc = new DOMDocument();
$doc->validateOnParse = true;
$doc->loadXML('<?xml version="1.0" encoding="iso-8859-1"?'.'>
<!DOCTYPE node [
	<!ELEMENT node EMPTY>
	<!ATTLIST node attr CDATA "">
]>
<node></node>');
$node = $doc->documentElement;
$node->removeAttribute('attr');

Expected result:
----------------
the removeAttribute property should return false, because the attribute is not defined.

Actual result:
--------------
The webserver crashes.

I get a message from Windows saying:
"Apache.exe has encountered a problem and needs to close."...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-18 22:37 UTC] tony2001@php.net
valgrind also shows some errors there:
==6404== Invalid read of size 4
==6404==    at 0x1B9ED17B: xmlUnlinkNode (in /usr/lib/libxml2.so.2.6.17)
==6404==    by 0x1BA07635: (within /usr/lib/libxml2.so.2.6.17)
==6404==    by 0x1B9F68CF: xmlHashFree (in /usr/lib/libxml2.so.2.6.17)
==6404==    by 0x1BA05926: xmlFreeAttributeTable (in /usr/lib/libxml2.so.2.6.17)
==6404==  Address 0x1BD0A61C is 4 bytes inside a block of size 64 free'd
==6404==    at 0x1B9060B1: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==6404==    by 0x1B9F1C1A: xmlFreeProp (in /usr/lib/libxml2.so.2.6.17)
==6404==    by 0x807B430: zif_dom_element_remove_attribute (element.c:301)
==6404==    by 0x8194284: zend_do_fcall_common_helper (zend_execute.c:2747)

 [2005-05-19 15:47 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 14:01:29 2024 UTC