#32615 [NEW]: Segfault in DOMNode::replaceChild() when previousSibling is NULL

[james at safesearching dot com]

From:             james at safesearching dot com
Operating system: Redhat 7.3
PHP version:      5.0.4
PHP Bug Type:     DOM XML related
Bug description:  Segfault in DOMNode::replaceChild() when previousSibling is 
NULL 

Description:
------------
Segfaults occurs when calling DOMNode::replaceChild() if previousSibling
is NULL and nextSibling is not NULL.

The segfault occurs on line 1150 of ext/dom/node.c. The relevant code
being:

if (prevsib == NULL && nextsib == NULL) {
    nodep->children = newchild;
    nodep->last = fragment->last;
} else {
    if (newchild) {
        prevsib->next = newchild;    <--- segfault is here
        newchild->prev = prevsib;

        fragment->last->next = nextsib;
        if (nextsib) {
            nextsib->prev = fragment->last;
        } else {
            nodep->last = fragment->last;
        }
    }
}

The code doesn't check for the possibility that prevsib == NULL and
nextsib != NULL.

Reproduce code:
---------------
<?php

header('Content-type: text/plain;');

$xml = "<root><first/><second/></root>\n";
$dom = new DomDocument;

$dom->loadXML($xml);

$root = $dom->documentElement;
$node = $dom->createElement('newfirst');
$frag = $dom->createDocumentFragment();

$frag->appendChild($node);
$root->replaceChild($frag, $root->firstChild);

print_r($dom->saveXML());

?>


Expected result:
----------------
<?xml version="1.0"?>
<root><newfirst/><second/></root>

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 4477)]
0x403490ac in zif_dom_node_replace_child (ht=2, return_value=0x814822c,
    this_ptr=0x81452c4, return_value_used=0)
    at /home/james/php-5.0.4/ext/dom/node.c:1150
1150                                            prevsib->next = newchild;
(gdb) bt
#0  0x403490ac in zif_dom_node_replace_child (ht=2,
return_value=0x814822c,
    this_ptr=0x81452c4, return_value_used=0)
    at /home/james/php-5.0.4/ext/dom/node.c:1150
#1  0x4047ac3a in zend_do_fcall_common_helper (execute_data=0xbfffb4c0,
    opline=0x814a310, op_array=0x81451cc)
    at /home/james/php-5.0.4/Zend/zend_execute.c:2727
#2  0x4047b1a7 in zend_do_fcall_by_name_handler (execute_data=0xbfffb4c0,
    opline=0x814a310, op_array=0x81451cc)
    at /home/james/php-5.0.4/Zend/zend_execute.c:2841
#3  0x40477a55 in execute (op_array=0x81451cc)
    at /home/james/php-5.0.4/Zend/zend_execute.c:1406
#4  0x404530e3 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/james/php-5.0.4/Zend/zend.c:1069
#5  0x404123b8 in php_execute_script (primary_file=0xbfffd820)
    at /home/james/php-5.0.4/main/main.c:1632
#6  0x40482442 in apache_php_module_main (r=0x8138480,
display_source_mode=0)
    at /home/james/php-5.0.4/sapi/apache/sapi_apache.c:54
#7  0x4048310c in send_php (r=0x8138480, display_source_mode=0,
    filename=0x8139f88 "/var/www/html/test1.php")
    at /home/james/php-5.0.4/sapi/apache/mod_php5.c:622
#8  0x40483165 in send_parsed_php (r=0x8138480)
    at /home/james/php-5.0.4/sapi/apache/mod_php5.c:637
#9  0x0805480d in ap_invoke_handler ()
#10 0x08067b0c in process_request_internal ()
#11 0x08067b83 in ap_process_request ()
#12 0x0805fc97 in child_main ()
#13 0x0805fe3a in make_child ()
#14 0x0805ff7d in startup_children ()
#15 0x080605d0 in standalone_main ()
#16 0x08060ed3 in main ()
#17 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6


-- 
Edit bug report at http://bugs.php.net/?id=32615&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=32615&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=32615&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=32615&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=32615&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=32615&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=32615&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=32615&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=32615&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=32615&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=32615&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=32615&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=32615&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=32615&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=32615&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=32615&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=32615&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=32615&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=32615&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=32615&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=32615&r=mysqlcfg