php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81506 malloc(): unaligned tcache chunk detected
Submitted: 2021-10-05 13:45 UTC Modified: -
From: sjon@php.net Assigned:
Status: Open Package: DOM XML related
PHP Version: 8.1.0RC3 OS: archLinux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-10-05 13:45 UTC] sjon@php.net
Description:
------------
Found this while going through bughunt, see https://3v4l.org/N6CNZ

it seems different from these two known issues #79451 and #80602

Test script:
---------------
<?php

$dom = null;
$dt = null;
$impl = null;

function doThing() {
$my_arr = [];

global $dom,$dt,$impl;

for($x = 0; $x < 7; $x++) {
$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");

array_push($my_arr, $dt, $dom, $impl);
}

$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");
}
//gc_collect_cycles();

doThing();
gc_collect_cycles();
$dom->replaceChild($dt, $dom->doctype); // FREE THE FIRST TIME!

doThing(); // fill up tcache; coimment this out for tcache double free malding
gc_collect_cycles(); // FREE AGAIN

Expected result:
----------------
no segmentation fault

Actual result:
--------------
malloc(): unaligned tcache chunk detected

Process exited with code 134.

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Dec 07 10:03:34 2021 UTC