php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79968 DOMText::before() crashes
Submitted: 2020-08-13 11:06 UTC Modified: 2020-08-13 11:06 UTC
From: nikic@php.net Assigned: beberlei (profile)
Status: Closed Package: DOM XML related
PHP Version: 8.0.0beta1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2020-08-13 11:06 UTC] nikic@php.net
Description:
------------
<?php
$cdata = new DOMText;
$cdata->before(null);

==441255== Invalid read of size 4
==441255==    at 0x488E30: dom_zvals_to_fragment (parentnode.c:137)
==441255==    by 0x489514: dom_parent_node_before (parentnode.c:339)
==441255==    by 0x494744: zim_DOMCharacterData_before (characterdata.c:428)
==441255==    by 0x9FA8B4: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1618)
==441255==    by 0xA678B8: execute_ex (zend_vm_execute.h:53562)
==441255==    by 0xA6CA21: zend_execute (zend_vm_execute.h:57766)
==441255==    by 0x9C134B: zend_execute_scripts (zend.c:1696)
==441255==    by 0x923E4E: php_execute_script (main.c:2535)
==441255==    by 0xAABE2F: do_cli (php_cli.c:949)
==441255==    by 0xAACE6E: main (php_cli.c:1336)
==441255==  Address 0x8 is not stack'd, malloc'd or (recently) free'd



Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-13 11:06 UTC] nikic@php.net
-Assigned To: +Assigned To: beberlei
 [2020-08-15 08:38 UTC] beberlei@php.net
According to the spec, for an element that has its hierachy preconditions fail an exception should be thrown:

node . before(...nodes)

    Inserts nodes just before node, while replacing strings in nodes with equivalent Text nodes.

    Throws a "HierarchyRequestError" DOMException if the constraints of the node tree are violated.

It looks this is not implemented and causes the segfault.
 [2020-08-15 08:54 UTC] beberlei@php.net
The following pull request has been associated:

Patch Name: Fix #79968: Manipulation on unattached DOMChildNode should throw DOMException
On GitHub:  https://github.com/php/php-src/pull/5990
Patch:      https://github.com/php/php-src/pull/5990.patch
 [2020-08-19 09:55 UTC] beberlei@php.net
Automatic comment on behalf of kontakt@beberlei.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f6820f7f1bfde876cb91bfd473f6d8b679fc474
Log: Fix #79968: Manipulation on unattached DOMChildNode should throw DOMException
 [2020-08-19 09:55 UTC] beberlei@php.net
-Status: Assigned +Status: Closed
 [2020-08-19 10:20 UTC] beberlei@php.net
Automatic comment on behalf of kontakt@beberlei.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a34fd4d590b36a9c42bb7e65c51202ef951afbdf
Log: Update NEWS w.r.t to bugfix #79968
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Sep 22 05:01:30 2020 UTC