php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70535 XSLT: free(): invalid pointer
Submitted: 2015-09-20 12:43 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: lalalalalalala at emailn dot de Assigned:
Status: Closed Package: XSLT related
PHP Version: 7.0.0RC3 OS: Windows 10 / Debian 8.2
Private report: No CVE-ID:
 [2015-09-20 12:43 UTC] lalalalalalala at emailn dot de
Description:
------------
Windows (x64 with 32 bit PHP):
PHP 7.0.0RC3 (cli) (built: Sep 16 2015 13:41:53)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2015 Zend Technologies

Debian (armv7l):
PHP 7.0.0RC3 (cli) (built: Sep 17 2015 22:12:59)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

Windows: Downloaded from http://windows.php.net/qa/ (VC14 x86 Thread Safe (2015-Sep-17 00:25:13)
Debian: Build with https://github.com/php-build/php-build (0df4c0c)

Using default php.ini (with enabled extension on windows: php_xsl)


Calling XSLTProcessor::transformToXML crashes PHP.

Stacktrace (Debug Diagnostic Tool)

Entry point   php!mainCRTStartup 
Create time   20.09.2015 13:14:38 
Time spent in user mode   0 Days 00:00:00.015 
Time spent in kernel mode   0 Days 00:00:00.015 

ntdll!RtlReportCriticalFailure+83    
ntdll!RtlpHeapHandleError+1c    
ntdll!RtlpLogHeapFailure+9f    
ntdll!RtlpFreeHeapInternal+ed    
ntdll!RtlFreeHeap+2c    
AcLayers!NS_FaultTolerantHeap::APIHook_RtlFreeHeap+418    
ucrtbase!free+1b    
php7ts!xmlFreeNodeList+156 



Test script:
---------------
<?php

$xmlInput = simplexml_load_string('<root></root>');
$xslInput = '<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:template match="root"><xsl:text>success</xsl:text></xsl:template></xsl:stylesheet>';

$xsl = new \DomDocument();
$xsl->loadXML($xslInput);
$xslt = new \XsltProcessor();
$xslt->importStylesheet($xsl);
$xmloutput = $xslt->transformToXml($xmlInput);

echo $xmloutput;

Expected result:
----------------
Output and no crash (works fine on 5.6.13):
<?xml version="1.0"?>
success

Actual result:
--------------
On Windows:
Output:
<?xml version="1.0"?>
success

After that: 
Windows popup: "CLI has stopped working - A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."


On Debian:
<?xml version="1.0"?>
success
*** Error in `php': free(): invalid pointer: 0x009d994b ***
Aborted

Even after several runs, the pointer remains the same.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-20 16:33 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3fc5f5cdb5d22461241b38d0e8cba8ae89b2db71
Log: Fixed bug #70535 (XSLT: free(): invalid pointer)
 [2015-09-20 16:33 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-09-20 16:33 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3fc5f5cdb5d22461241b38d0e8cba8ae89b2db71
Log: Fixed bug #70535 (XSLT: free(): invalid pointer)
 [2015-09-29 13:10 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3fc5f5cdb5d22461241b38d0e8cba8ae89b2db71
Log: Fixed bug #70535 (XSLT: free(): invalid pointer)
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3fc5f5cdb5d22461241b38d0e8cba8ae89b2db71
Log: Fixed bug #70535 (XSLT: free(): invalid pointer)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 14:01:40 2017 UTC