php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81506 malloc(): unaligned tcache chunk detected
Submitted: 2021-10-05 13:45 UTC Modified: 2023-06-04 12:12 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sjon@php.net Assigned: nielsdos (profile)
Status: Closed Package: DOM XML related
PHP Version: 8.1.0RC3 OS: archLinux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sjon@php.net
New email:
PHP Version: OS:

 

 [2021-10-05 13:45 UTC] sjon@php.net 
Description:
------------
Found this while going through bughunt, see https://3v4l.org/N6CNZ

it seems different from these two known issues #79451 and #80602

Test script:
---------------
<?php

$dom = null;
$dt = null;
$impl = null;

function doThing() {
$my_arr = [];

global $dom,$dt,$impl;

for($x = 0; $x < 7; $x++) {
$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");

array_push($my_arr, $dt, $dom, $impl);
}

$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");
}
//gc_collect_cycles();

doThing();
gc_collect_cycles();
$dom->replaceChild($dt, $dom->doctype); // FREE THE FIRST TIME!

doThing(); // fill up tcache; coimment this out for tcache double free malding
gc_collect_cycles(); // FREE AGAIN

Expected result:
----------------
no segmentation fault

Actual result:
--------------
malloc(): unaligned tcache chunk detected

Process exited with code 134.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-06-04 12:12 UTC] nielsdos@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nielsdos
 [2023-06-04 12:12 UTC] nielsdos@php.net 
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at
http://www.php.net/downloads.php

This was fixed in 8.0.24, 8.1.11 and 8.2.0, but the issue wasn't yet closed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 00:01:28 2024 UTC