|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33059 crash when moving xml attribute set in dtd
Submitted: 2005-05-18 21:08 UTC Modified: 2005-05-19 15:47 UTC
From: dikrib at hotmail dot com Assigned:
Status: Closed Package: DOM XML related
PHP Version: 5.0.4 OS: Windows XP
Private report: No CVE-ID: None
 [2005-05-18 21:08 UTC] dikrib at hotmail dot com
If I try to remove an attribute from an xml document using the dom, where the xml document is validated against a doctype, and the dtd specifies a default value for the attribute, PHP crashes if the attribute is not defined.

My guess is that the default value is receaved from the dtd, and php therefore beleaves that the attribute exists and passes the error checking, that should have caused the removeAttribute property to return false.

Tested on PHP 5.0.4 and php5.0-win32-200505181630

Reproduce code:
$doc = new DOMDocument();
$doc->validateOnParse = true;
$doc->loadXML('<?xml version="1.0" encoding="iso-8859-1"?'.'>
<!DOCTYPE node [
	<!ATTLIST node attr CDATA "">
$node = $doc->documentElement;

Expected result:
the removeAttribute property should return false, because the attribute is not defined.

Actual result:
The webserver crashes.

I get a message from Windows saying:
"Apache.exe has encountered a problem and needs to close."...


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-18 22:37 UTC]
valgrind also shows some errors there:
==6404== Invalid read of size 4
==6404==    at 0x1B9ED17B: xmlUnlinkNode (in /usr/lib/
==6404==    by 0x1BA07635: (within /usr/lib/
==6404==    by 0x1B9F68CF: xmlHashFree (in /usr/lib/
==6404==    by 0x1BA05926: xmlFreeAttributeTable (in /usr/lib/
==6404==  Address 0x1BD0A61C is 4 bytes inside a block of size 64 free'd
==6404==    at 0x1B9060B1: free (in /usr/lib/valgrind/
==6404==    by 0x1B9F1C1A: xmlFreeProp (in /usr/lib/
==6404==    by 0x807B430: zif_dom_element_remove_attribute (element.c:301)
==6404==    by 0x8194284: zend_do_fcall_common_helper (zend_execute.c:2747)

 [2005-05-19 15:47 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Sep 26 10:01:24 2023 UTC