php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42112 deleting a node produces memory corruption
Submitted: 2007-07-26 15:03 UTC Modified: 2007-07-28 08:55 UTC
From: derick@php.net Assigned: rrichards (profile)
Status: Closed Package: DOM XML related
PHP Version: 5CVS-2007-07-26 (CVS) OS: Linux
Private report: No CVE-ID: None
 [2007-07-26 15:03 UTC] derick@php.net
Description:
------------
When running getElementById() on a node that just has been removed I get memory corruptions, and often a segfault. I am using libxml 2.6.29

Reproduce code:
---------------
See http://files.derickrethans.nl/xml-crash.tar.bz2

run the script with "valgrind php xml-crash.php"

Expected result:
----------------
No valgrind errors :)

Actual result:
--------------
==27233== Invalid read of size 8
==27233==    at 0x4D6548: zif_dom_document_get_element_by_id (document.c:1267)
==27233==    by 0x873B94: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==27233==    by 0x874902: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==27233==    by 0x873635: execute (zend_vm_execute.h:92)
==27233==    by 0x873D23: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==27233==    by 0x874902: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==27233==    by 0x873635: execute (zend_vm_execute.h:92)
==27233==    by 0x873D23: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==27233==    by 0x874902: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==27233==    by 0x873635: execute (zend_vm_execute.h:92)
==27233==    by 0x84B283: zend_execute_scripts (zend.c:1134)
==27233==    by 0x7F1629: php_execute_script (main.c:1967)
==27233==  Address 0x9FEA200 is 40 bytes inside a block of size 96 free'd
==27233==    at 0x4A2066A: free (vg_replace_malloc.c:233)
==27233==    by 0x46BF04: php_libxml_node_free (libxml.c:197)
==27233==    by 0x46C0A5: php_libxml_node_free_list (libxml.c:262)
==27233==    by 0x46DF5F: php_libxml_node_free_resource (libxml.c:1013)
==27233==    by 0x46DFEB: php_libxml_node_decrement_resource (libxml.c:1036)
==27233==    by 0x4D2193: dom_objects_free_storage (php_dom.c:974)
==27233==    by 0x87160D: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==27233==    by 0x871465: zend_objects_store_del_ref (zend_objects_API.c:168)
==27233==    by 0x848B5C: _zval_dtor_func (zend_variables.c:52)
==27233==    by 0x839C98: _zval_dtor (zend_variables.h:35)
==27233==    by 0x839EB1: _zval_ptr_dtor (zend_execute_API.c:414)
==27233==    by 0x848ED1: _zval_ptr_dtor_wrapper (zend_variables.c:175)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-07-26 15:03 UTC] derick@php.net
Hello Rob, could you please have a look at this one?
 [2007-07-28 08:55 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 02 07:01:30 2024 UTC