|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70359 print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()
Submitted: 2015-08-25 16:26 UTC Modified: 2018-08-10 15:17 UTC
Avg. Score:3.7 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rainer-phpbugs at 7val dot com Assigned:
Status: Closed Package: DOM XML related
PHP Version: 7.0.0RC1 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: rainer-phpbugs at 7val dot com
New email:
PHP Version: OS:


 [2015-08-25 16:26 UTC] rainer-phpbugs at 7val dot com
(gdb) run a.php
Starting program: /home/canavan/FIT/14-7/lib/fit/bin/php a.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".

Program received signal SIGSEGV, Segmentation fault.
php_libxml_node_free_list (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:235
235                             switch (node->type) {
(gdb) bt
#0  php_libxml_node_free_list (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:235
#1  0x000000000045c769 in php_libxml_node_free_list (node=0xe4ca90) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:255
#2  0x000000000045c8c1 in php_libxml_node_free_resource (node=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:1298
#3  0x000000000045ca78 in php_libxml_node_decrement_resource (object=0x21) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/libxml/libxml.c:1333
#4  0x0000000000473005 in dom_objects_free_storage (object=0x7ffff1270198) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:1045
#5  0x000000000071d61a in zend_objects_store_del (object=0x7ffff1270198) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_objects_API.c:181
#6  0x0000000000472d15 in _zval_dtor (zvalue=0x7fffffff9f50, zvalue=0x7fffffff9f50) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_variables.h:43
#7  dom_get_debug_info_helper (is_temp=<optimized out>, object=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:444
#8  dom_get_debug_info (object=<optimized out>, is_temp=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/dom/php_dom.c:459
#9  0x00000000006d9c09 in zend_print_zval_r_ex (write_func=0x66c070 <php_output_wrapper>, expr=0x7ffff12131c0, indent=indent@entry=0)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:359
#10 0x00000000006d9d74 in zend_print_zval_r (expr=<optimized out>, indent=indent@entry=0) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:324
#11 0x00000000005e252e in zif_print_r (execute_data=<optimized out>, return_value=0x7ffff1213150)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/ext/standard/basic_functions.c:5488
#12 0x000000000073379d in ZEND_DO_ICALL_SPEC_HANDLER () at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:577
#13 0x0000000000722fcb in execute_ex (ex=<optimized out>) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:406
#14 0x0000000000790547 in zend_execute (op_array=0x7ffff1284000, return_value=<optimized out>)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend_vm_execute.h:450
#15 0x00000000006db7f5 in zend_execute_scripts (type=8, retval=0x7ffff1200000, retval@entry=0x0, file_count=3)
    at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/Zend/zend.c:1404
#16 0x000000000066ffe8 in php_execute_script (primary_file=0x7fffffffc6a0) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/main/main.c:2475
#17 0x000000000079278b in do_cli (argc=33, argv=0x7ffff1200000) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/sapi/cli/php_cli.c:971
#18 0x0000000000429130 in main (argc=33, argv=0x7ffff1200000) at /home/canavan/fit/trunk/build/src/external/php-7.0.0RC1/sapi/cli/php_cli.c:1338

Test script:
$dom = new DOMDocument();

if ($dom->documentElement) {
    if ($spaceNode = $dom->documentElement->getAttributeNode('xmlns')) {

with sitemap.xml

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="" xmlns:xsi="fooooooooooooooooooooo">

Expected result:
No segfault, possibly an error or warning.

Affects PHP 5.6.11 as well as 7.0-rc1


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-25 21:17 UTC]
-Status: Open +Status: Verified
 [2015-08-25 21:17 UTC]
Confirmed: <>. Additionally, accessing the
parentNode of such an attribute node also segfaults, see

It appears the culprit is in DomElement::getAttributeNode()[1].
The _private member is supposed to hold a dom_object*, but is
later assigned to the parent member of the new xmlNode. Changing
the code respectively would prevent the segfault and give a
reasonable result, but leaks memory (valgrind).

[1] <>
 [2018-08-10 15:17 UTC]
Actually the culprit is dom_get_dom1_attribute()[1], which may
cast pointers to xmlNs[2] to pointers to xmlNode[3], although
these types are incompatible.

[1] <>
[2] <>
[3] <>
 [2023-06-09 19:51 UTC]
Automatic comment on behalf of nielsdos
Log: Fix #70359 and #78577: segfaults with DOMNameSpaceNode
 [2023-06-09 19:51 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Dec 08 13:01:26 2023 UTC