ID: 32615
Updated by: [EMAIL PROTECTED]
Reported By: james at safesearching dot com
-Status: Open
+Status: Assigned
Bug Type: DOM XML related
Operating System: Redhat 7.3
PHP Version: 5.0.4
-Assigned To:
+Assigned To: rrichards
New Comment:
Assigning to the maintainer.
Previous Comments:
------------------------------------------------------------------------
[2005-04-07 02:14:42] james at safesearching dot com
Description:
------------
Segfaults occurs when calling DOMNode::replaceChild() if
previousSibling is NULL and nextSibling is not NULL.
The segfault occurs on line 1150 of ext/dom/node.c. The relevant code
being:
if (prevsib == NULL && nextsib == NULL) {
nodep->children = newchild;
nodep->last = fragment->last;
} else {
if (newchild) {
prevsib->next = newchild; <--- segfault is here
newchild->prev = prevsib;
fragment->last->next = nextsib;
if (nextsib) {
nextsib->prev = fragment->last;
} else {
nodep->last = fragment->last;
}
}
}
The code doesn't check for the possibility that prevsib == NULL and
nextsib != NULL.
Reproduce code:
---------------
<?php
header('Content-type: text/plain;');
$xml = "<root><first/><second/></root>\n";
$dom = new DomDocument;
$dom->loadXML($xml);
$root = $dom->documentElement;
$node = $dom->createElement('newfirst');
$frag = $dom->createDocumentFragment();
$frag->appendChild($node);
$root->replaceChild($frag, $root->firstChild);
print_r($dom->saveXML());
?>
Expected result:
----------------
<?xml version="1.0"?>
<root><newfirst/><second/></root>
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 4477)]
0x403490ac in zif_dom_node_replace_child (ht=2,
return_value=0x814822c,
this_ptr=0x81452c4, return_value_used=0)
at /home/james/php-5.0.4/ext/dom/node.c:1150
1150 prevsib->next =
newchild;
(gdb) bt
#0 0x403490ac in zif_dom_node_replace_child (ht=2,
return_value=0x814822c,
this_ptr=0x81452c4, return_value_used=0)
at /home/james/php-5.0.4/ext/dom/node.c:1150
#1 0x4047ac3a in zend_do_fcall_common_helper
(execute_data=0xbfffb4c0,
opline=0x814a310, op_array=0x81451cc)
at /home/james/php-5.0.4/Zend/zend_execute.c:2727
#2 0x4047b1a7 in zend_do_fcall_by_name_handler
(execute_data=0xbfffb4c0,
opline=0x814a310, op_array=0x81451cc)
at /home/james/php-5.0.4/Zend/zend_execute.c:2841
#3 0x40477a55 in execute (op_array=0x81451cc)
at /home/james/php-5.0.4/Zend/zend_execute.c:1406
#4 0x404530e3 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/james/php-5.0.4/Zend/zend.c:1069
#5 0x404123b8 in php_execute_script (primary_file=0xbfffd820)
at /home/james/php-5.0.4/main/main.c:1632
#6 0x40482442 in apache_php_module_main (r=0x8138480,
display_source_mode=0)
at /home/james/php-5.0.4/sapi/apache/sapi_apache.c:54
#7 0x4048310c in send_php (r=0x8138480, display_source_mode=0,
filename=0x8139f88 "/var/www/html/test1.php")
at /home/james/php-5.0.4/sapi/apache/mod_php5.c:622
#8 0x40483165 in send_parsed_php (r=0x8138480)
at /home/james/php-5.0.4/sapi/apache/mod_php5.c:637
#9 0x0805480d in ap_invoke_handler ()
#10 0x08067b0c in process_request_internal ()
#11 0x08067b83 in ap_process_request ()
#12 0x0805fc97 in child_main ()
#13 0x0805fe3a in make_child ()
#14 0x0805ff7d in startup_children ()
#15 0x080605d0 in standalone_main ()
#16 0x08060ed3 in main ()
#17 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32615&edit=1
