php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69373 References to deleted XPath query results
Submitted: 2015-04-04 01:42 UTC Modified: 2015-04-04 08:58 UTC
Votes:2
Avg. Score:3.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: ttoohey@php.net Assigned:
Status: Closed Package: DOM XML related
PHP Version: 5.5, 5.6, master OS: Linux
Private report: No CVE-ID: None
 [2015-04-04 01:42 UTC] ttoohey@php.net
Description:
------------
Creating a node list using the DOMXPath query() or evaluate() functions, then removing the nodes from the document by writing to nodeValue of an ancestor occasionally  results in "double free or corruption" or "Segmentation fault". It can also result in the nodeValue text content being cropped.

Test script:
---------------
$doc = new DOMDocument();
for( $i=0; $i<20; $i++ ) {
	$doc->loadXML("<parent><child /><child /></parent>");
	$xpath = new DOMXpath($doc);
	$all = $xpath->query('//*');
	$doc->firstChild->nodeValue = '';
}


Actual result:
--------------
#0  0x00007ffff698e107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff698f4e8 in __GI_abort () at abort.c:89
#2  0x00007ffff69cc204 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6abefe0 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff69d19de in malloc_printerr (action=1, str=0x7ffff6abb09e "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4996
#4  0x00007ffff69d26e6 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5  0x0000000000454bc8 in php_libxml_node_decrement_resource (object=0x68f1) at /tmp/php-src/ext/libxml/libxml.c:1330
#6  0x000000000052e785 in dom_objects_free_storage (object=0x7ffff606d218) at /tmp/php-src/ext/dom/php_dom.c:1045
#7  0x0000000000702992 in zend_objects_store_del (object=0x68f1) at /tmp/php-src/Zend/zend_objects_API.c:181
#8  0x00000000006d818b in i_zval_ptr_dtor (zval_ptr=0x7ffff605e908) at /tmp/php-src/Zend/zend_variables.h:57
#9  zend_array_destroy (ht=0x7ffff6057268) at /tmp/php-src/Zend/zend_hash.c:1179
#10 0x000000000052df71 in dom_nnodemap_object_dtor (object=0x7ffff606d1d8) at /tmp/php-src/ext/dom/php_dom.c:1136
#11 0x00000000007029ac in zend_objects_store_del (object=0x68f1) at /tmp/php-src/Zend/zend_objects_API.c:163
#12 0x0000000000719b63 in zend_assign_to_variable (value_type=4 '\004', value=0x7ffff6014150, variable_ptr=0x7ffff60140c0)
    at /tmp/php-src/Zend/zend_execute.h:102
#13 ZEND_ASSIGN_SPEC_CV_VAR_HANDLER () at /tmp/php-src/Zend/zend_vm_execute.h:31935
#14 0x0000000000707a1b in execute_ex (ex=<optimized out>) at /tmp/php-src/Zend/zend_vm_execute.h:394
#15 0x00000000006c73d5 in zend_execute_scripts (type=26865, type@entry=8, retval=0x68f1, retval@entry=0x0, file_count=6, file_count@entry=3)
    at /tmp/php-src/Zend/zend.c:1364
#16 0x000000000066cf68 in php_execute_script (primary_file=0x7fffffffcf20) at /tmp/php-src/main/main.c:2481
#17 0x000000000075f2da in do_cli (argc=26865, argv=0x68f1) at /tmp/php-src/sapi/cli/php_cli.c:967
#18 0x0000000000426c47 in main (argc=26865, argv=0x68f1) at /tmp/php-src/sapi/cli/php_cli.c:1334


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-04 08:58 UTC] nikic@php.net
-PHP Version: master-Git-2015-04-04 (Git) +PHP Version: 5.5, 5.6, master
 [2015-04-04 08:58 UTC] nikic@php.net
Can reproduce on PHP 5.5 and 5.6 as well.
 [2017-06-02 22:42 UTC] nikic@php.net
Automatic comment on behalf of ttoohey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d027bc2addb4f12e0030532933a2c85c07cdb293
Log: Fixed bug #69373
 [2017-06-02 22:42 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 14:01:27 2024 UTC