PHP :: Bug #34232 :: Crash (double free or corruption) using DOM functions

Bug #34232	Crash (double free or corruption) using DOM functions
Submitted:	2005-08-24 10:55 UTC	Modified:	2005-09-10 17:39 UTC
From:	anders at kaseorg dot com	Assigned:	rrichards (profile)
Status:	Not a bug	Package:	DOM XML related
PHP Version:	5CVS-2005-08-30	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	anders at kaseorg dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-08-24 10:55 UTC] anders at kaseorg dot com

Description:
------------
Running PHP (5.0.4-10.3 on Fedora Core 4) on this code crashes with a "double free" error after producing correct output. If you comment the last appendChild line, it segfaults instead.

Reproduce code:
---------------
<?php
$imp = new DOMImplementation();
$doc = $imp->createDocument(
  'http://www.w3.org/1999/xhtml',
  'html',
  $imp->createDocumentType('html',
    '-//W3C//DTD XHTML 1.0 Strict//EN',
    'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd')
);
$html = $doc->documentElement;
$head = $html->appendChild($doc->createElement('head'));
$meta = $head->appendChild($doc->createElement('meta'));
$meta->setAttribute('http-equiv', 'Content-Type');
$meta->setAttribute('content', 'application/xhtml+xml; charset=utf-8');
$head->appendChild($doc->createElement('title'));
echo $doc->saveXML();
?>


Expected result:
----------------
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title></head></html>


Actual result:
--------------
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title></head></html>
*** glibc detected *** php: double free or corruption (!prev): 0x0985dcf0 ***
======= Backtrace: =========
/lib/libc.so.6[0x984124]
/lib/libc.so.6(__libc_free+0x77)[0x98465f]
/usr/lib/libxml2.so.2(xmlFreeNode+0x1ce)[0x7535b66]
php[0x80728be]
php[0x80733cb]
php[0x807339f]
php(php_libxml_node_free_resource+0x3f)[0x8073423]
php(php_libxml_node_decrement_resource+0x41)[0x807349b]
/usr/lib/php/modules/dom.so(dom_objects_free_storage+0x54)[0xc14576]
php(zend_objects_store_del_ref+0x72)[0x8187e48]
php(_zval_ptr_dtor+0x36)[0x8168e3c]
php[0x8179ffc]
php(zend_hash_graceful_reverse_destroy+0x18)[0x817a116]
php(shutdown_executor+0x7c)[0x8169a60]
php(zend_deactivate+0x93)[0x81740de]
php(php_request_shutdown+0x180)[0x813e197]
php(main+0x174)[0x81a7895]
/lib/libc.so.6(__libc_start_main+0xdf)[0x935d5f]
php[0x80727b1]

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-24 15:42 UTC] rrichards@php.net

Not yet sure if this will require changes to DOM and SimpleXML or libxml2 specific bug. Assigning to self for now.

Current work around: Don't add meta element as its going to be destroyed and a new one added anyways when serializing.

[2005-09-10 17:39 UTC] rrichards@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

was fixed in libxml release 2.6.21.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 17:01:28 2024 UTC