php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45251 double free or corruption with setAttributeNode()
Submitted: 2008-06-12 19:46 UTC Modified: 2008-06-14 11:28 UTC
From: ms419 at freezone dot co dot uk Assigned: rrichards
Status: Closed Package: DOM XML related
PHP Version: 5.2.6 OS:
Private report: No CVE-ID:
 [2008-06-12 19:46 UTC] ms419 at freezone dot co dot uk
Description:
------------
I get the following double free or corruption when trying to add attributes of one DOMElement to another DOMElement with setAttributeNode()

Reproduce code:
---------------
<?php

$doc = new DOMDocument;
$doc->loadXml(<<<EOF
<?xml version="1.0" encoding="utf-8" ?>
<aaa>
  <bbb foo="bar"/>
</aaa>
EOF
);

$xpath = new DOMXPath($doc);

$bbb = $xpath->query('bbb', $doc->documentElement)->item(0);

$ccc = $doc->createElement('ccc');
foreach ($bbb->attributes as $attr)
{
  $ccc->setAttributeNode($attr);
}


Expected result:
----------------
No double free or corruption

Actual result:
--------------
ket% php test.php
*** glibc detected *** php: double free or corruption (fasttop): 0x09ed5280 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb79ba614]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb79bc816]
/usr/lib/libxml2.so.2(xmlFreeProp+0x9b)[0xb7aed17b]
/usr/lib/libxml2.so.2(xmlFreePropList+0x1b)[0xb7aed3bb]
/usr/lib/libxml2.so.2(xmlFreeNodeList+0xba)[0xb7aecaea]
/usr/lib/libxml2.so.2(xmlFreeNodeList+0x97)[0xb7aecac7]
/usr/lib/libxml2.so.2(xmlFreeDoc+0xbc)[0xb7aec90c]
php(php_libxml_decrement_doc_ref+0x5a)[0x8098cea]
php(dom_objects_free_storage+0x70)[0x80de820]
php(zend_objects_store_del_ref_by_handle+0x1cb)[0x82df80b]
php(zend_objects_store_del_ref+0x28)[0x82df858]
php(_zval_dtor_func+0x71)[0x82bfbc1]
php(_zval_ptr_dtor+0x78)[0x82b28f8]
php[0x82caed5]
php(zend_hash_reverse_apply+0x6e)[0x82cafde]
php(shutdown_destructors+0x7c)[0x82b280c]
php(zend_call_destructors+0x44)[0x82c0354]
php(php_request_shutdown+0x2fc)[0x8277b2c]
php(main+0x5f7)[0x83528b7]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7962455]
php[0x8097cb1]
======= Memory map: ========
08048000-08521000 r-xp 00000000 fe:00 6182198    /usr/bin/php5
08521000-08558000 rw-p 004d8000 fe:00 6182198    /usr/bin/php5
08558000-0855d000 rw-p 08558000 00:00 0
09d65000-09ef2000 rw-p 09d65000 00:00 0          [heap]
b6621000-b662d000 r-xp 00000000 fe:00 4866377    /lib/libgcc_s.so.1
b662d000-b662e000 rw-p 0000b000 fe:00 4866377    /lib/libgcc_s.so.1
b662e000-b662f000 ---p b662e000 00:00 0
b662f000-b6e2f000 rw-p b662f000 00:00 0
b6e2f000-b6e39000 r-xp 00000000 fe:00 4867708    /lib/i686/cmov/libnss_files-2.7.so
b6e39000-b6e3b000 rw-p 00009000 fe:00 4867708    /lib/i686/cmov/libnss_files-2.7.so
b6e3b000-b6e4b000 r-xp 00000000 fe:00 6179047    /usr/lib/libexslt.so.0.8.13
b6e4b000-b6e4c000 rw-p 0000f000 fe:00 6179047    /usr/lib/libexslt.so.0.8.13
b6e5e000-b6e79000 r-xp 00000000 fe:00 6619204    /usr/lib/php5/20060613+lfs/syck.so
b6e79000-b6e7a000 rw-p 0001b000 fe:00 6619204    /usr/lib/php5/20060613+lfs/syck.so
b6e7a000-b6e81000 r-xp 00000000 fe:00 4867730    /lib/i686/cmov/librt-2.7.so
b6e81000-b6e83000 rw-p 00006000 fe:00 4867730    /lib/i686/cmov/librt-2.7.so
b6e83000-b6ea3000 r-xp 00000000 fe:00 6180976    /usr/lib/libssh2.so.1.0.0
b6ea3000-b6ea4000 rw-p 0001f000 fe:00 6180976    /usr/lib/libssh2.so.1.0.0
b6ea4000-b6ed4000 r-xp 00000000 fe:00 6177806    /usr/lib/libidn.so.11.5.37
b6ed4000-b6ed5000 rw-p 00030000 fe:00 6177806    /usr/lib/libidn.so.11.5.37
b6ed5000-b6f08000 r-xp 00000000 fe:00 6179058    /usr/lib/libxslt.so.1.1.24
b6f08000-b6f09000 rw-p 00033000 fe:00 6179058    /usr/lib/libxslt.so.1.1.24
b6f09000-b6f4b000 r-xp 00000000 fe:00 6176997    /usr/lib/libcurl.so.4.1.0
b6f4b000-b6f4c000 rw-p 00041000 fe:00 6176997    /usr/lib/libcurl.so.4.1.0
b6f4c000-b6f4d000 rw-p b6f4c000 00:00 0
b6f4d000-b6f8f000 r-xp 00000000 fe:00 6178279    /usr/lib/libgmp.so.3.4.2
b6f8f000-b6f90000 rw-p 00042000 fe:00 6178279    /usr/lib/libgmp.so.3.4.2
b6f90000-b6fad000 r-xp 00000000 fe:00 6192008    /usr/lib/libpq.so.5.1
b6fad000-b6fae000 rw-p 0001d000 fe:00 6192008    /usr/lib/libpq.so.5.1
b6fae000-b7007000 r-xp 00000000 fe:00 6179774    /usr/lib/libsqlite3.so.0.8.6
b7007000-b7009000 rw-p 00058000 fe:00 6179774    /usr/lib/libsqlite3.so.0.8.6
b7009000-b71aa000 r-xp 00000000 fe:00 6176862    /usr/lib/libmysqlclient.so.15.0.0
b71aa000-b71ee000 rw-p 001a0000 fe:00 6176862    /usr/lib/libmysqlclient.so.15.0.0
b71ee000-b71ef000 rw-p b71ee000 00:00 0
b71ef000-b7240000 r-xp 00000000 fe:00 5904125    /usr/lib/libraptor.so.1.1.0
b7240000-b7242000 rw-p 00051000 fe:00 5904125    /usr/lib/libraptor.so.1.1.0
b7242000-b7273000 r-xp 00000000 fe:00 6180883    /usr/lib/librasqal.so.0.0.0
b7273000-b7274000 rw-p 00031000 fe:00 6180883    /usr/lib/librasqal.so.0.0.0
b7274000-b72b0000 r-xp 00000000 fe:00 6179811    /usr/lib/librdf.so.0.0.0
b72b0000-b72b1000 rw-p 0003b000 fe:00 6179811    /usr/lib/librdf.so.0.0.0
b72b1000-b72ce000 r-xp 00000000 fe:00 10551743   /usr/lib/php5/20060613+lfs/redland.so
b72ce000-b72d0000 rw-p 0001d000 fe:00 10551743   /usr/lib/php5/20060613+lfs/redland.so
b72d0000-b72e3000 r-xp 00000000 fe:00 6619220    /usr/lib/php5/20060613+lfs/pdo.so
b72e3000-b72e5000 rw-p 00013000 fe:00 6619220    /usr/lib/php5/20060613+lfs/pdo.so
b72e5000-b72fc000 r-xp 00000000 fe:00 6620354    /usr/lib/php5/20060613+lfs/mysqli.so
b72fc000-b72fe000 rw-p 00016000 fe:00 6620354    /usr/lib/php5/20060613+lfs/mysqli.so
b72fe000-b74a1000 r-xp 00000000 fe:00 6176776    /usr/lib/libmysqlclient_r.so.15.0.0
b74a1000-b74e5000 rw-p 001a2000 fe:00 6176776    /usr/lib/libmysqlclient_r.so.15.0.0
b74e5000-b74e6000 rw-p b74e5000 00:00 0
b74ec000-b74f0000 r-xp 00000000 fe:00 6179097    /usr/lib/libnss_db-2.2.3.so
b74f0000-b74f1000 rw-p 00004000 fe:00 6179097    /usr/lib/libnss_db-2.2.3.so
b74f1000-b74f7000 r-xp 00000000 fe:00 6619221    /usr/lib/php5/20060613+lfs/xsl.so
b74f7000-b74f8000 rw-p 00005000 fe:00 6619221    /usr/lib/php5/20060613+lfs/xsl.so
b74f8000-b755e000 r-xp 00000000 fe:00 6181413    /usr/lib/libgcrypt.so.11.4.4
b755e000-b7560000 rw-p 00066000 fe:00 6181413    /usr/lib/libgcrypt.so.11.4.4
b7560000-b756f000 r-xp 00000000 fe:00 6178892    /usr/lib/libtasn1.so.3.0.15
b756f000-b7570000 rw-p 0000e000 fe:00 6178892    /usr/lib/libtasn1.so.3.0.15
b7570000-b75e3000 r-xp 00000000 fe:00 6186627    /usr/lib/libgnutls.so.26.1.6
b75e3000-b75e9000 rw-p 00072000 fe:00 6186627    /usr/lib/libgnutls.so.26.1.6
b75e9000-b75f5000 r-xp 00000000 fe:00 6178125    /usr/lib/liblber-2.4.so.2.0.5
b75f5000-b75f6000 rw-p 0000c000 fe:00 6178125    /usr/lib/liblber-2.4.so.2.0.5
b75f6000-b7634000 r-xp 00000000 fe:00 6182027    /usr/lib/libldap_r-2.4.so.2.0.5
b7634000-b7636000 rw-p 0003d000 fe:00 6182027    /usr/lib/libldap_r-2.4.so.2.0.5
b7636000-b7637000 rw-p b7636000 00:00 0
b7637000-b764d000 r-xp 00000000 fe:00 6177723    /usr/lib/libsasl2.so.2.0.22
b764d000-b764e000 rw-p 00015000 fe:00 6177723    /usr/lib/libsasl2.so.2.0.22
b764e000-b7654000 r-xp 00000000 fe:00 6620355    /usr/lib/php5/20060613+lfs/pdo_mysql.so
b7654000-b7655000 rw-p 00005000 fe:00 6620355    /usr/lib/php5/20060613+lfs/pdo_mysql.so
b7655000-b765f000 r-xp 00zsh: abort      php test.php
ket% 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-12 20:41 UTC] rrichards@php.net
assign to self
 [2008-06-14 11:28 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 18:01:55 2014 UTC