From: ms419 at freezone dot co dot uk
Operating system:
PHP version: 5.2.6
PHP Bug Type: DOM XML related
Bug description: double free or corruption with setAttributeNode()
Description:
------------
I get the following double free or corruption when trying to add
attributes of one DOMElement to another DOMElement with setAttributeNode()
Reproduce code:
---------------
<?php
$doc = new DOMDocument;
$doc->loadXml(<<<EOF
<?xml version="1.0" encoding="utf-8" ?>
<aaa>
<bbb foo="bar"/>
</aaa>
EOF
);
$xpath = new DOMXPath($doc);
$bbb = $xpath->query('bbb', $doc->documentElement)->item(0);
$ccc = $doc->createElement('ccc');
foreach ($bbb->attributes as $attr)
{
$ccc->setAttributeNode($attr);
}
Expected result:
----------------
No double free or corruption
Actual result:
--------------
ket% php test.php
*** glibc detected *** php: double free or corruption (fasttop):
0x09ed5280 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb79ba614]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb79bc816]
/usr/lib/libxml2.so.2(xmlFreeProp+0x9b)[0xb7aed17b]
/usr/lib/libxml2.so.2(xmlFreePropList+0x1b)[0xb7aed3bb]
/usr/lib/libxml2.so.2(xmlFreeNodeList+0xba)[0xb7aecaea]
/usr/lib/libxml2.so.2(xmlFreeNodeList+0x97)[0xb7aecac7]
/usr/lib/libxml2.so.2(xmlFreeDoc+0xbc)[0xb7aec90c]
php(php_libxml_decrement_doc_ref+0x5a)[0x8098cea]
php(dom_objects_free_storage+0x70)[0x80de820]
php(zend_objects_store_del_ref_by_handle+0x1cb)[0x82df80b]
php(zend_objects_store_del_ref+0x28)[0x82df858]
php(_zval_dtor_func+0x71)[0x82bfbc1]
php(_zval_ptr_dtor+0x78)[0x82b28f8]
php[0x82caed5]
php(zend_hash_reverse_apply+0x6e)[0x82cafde]
php(shutdown_destructors+0x7c)[0x82b280c]
php(zend_call_destructors+0x44)[0x82c0354]
php(php_request_shutdown+0x2fc)[0x8277b2c]
php(main+0x5f7)[0x83528b7]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7962455]
php[0x8097cb1]
======= Memory map: ========
08048000-08521000 r-xp 00000000 fe:00 6182198 /usr/bin/php5
08521000-08558000 rw-p 004d8000 fe:00 6182198 /usr/bin/php5
08558000-0855d000 rw-p 08558000 00:00 0
09d65000-09ef2000 rw-p 09d65000 00:00 0 [heap]
b6621000-b662d000 r-xp 00000000 fe:00 4866377 /lib/libgcc_s.so.1
b662d000-b662e000 rw-p 0000b000 fe:00 4866377 /lib/libgcc_s.so.1
b662e000-b662f000 ---p b662e000 00:00 0
b662f000-b6e2f000 rw-p b662f000 00:00 0
b6e2f000-b6e39000 r-xp 00000000 fe:00 4867708
/lib/i686/cmov/libnss_files-2.7.so
b6e39000-b6e3b000 rw-p 00009000 fe:00 4867708
/lib/i686/cmov/libnss_files-2.7.so
b6e3b000-b6e4b000 r-xp 00000000 fe:00 6179047
/usr/lib/libexslt.so.0.8.13
b6e4b000-b6e4c000 rw-p 0000f000 fe:00 6179047
/usr/lib/libexslt.so.0.8.13
b6e5e000-b6e79000 r-xp 00000000 fe:00 6619204
/usr/lib/php5/20060613+lfs/syck.so
b6e79000-b6e7a000 rw-p 0001b000 fe:00 6619204
/usr/lib/php5/20060613+lfs/syck.so
b6e7a000-b6e81000 r-xp 00000000 fe:00 4867730
/lib/i686/cmov/librt-2.7.so
b6e81000-b6e83000 rw-p 00006000 fe:00 4867730
/lib/i686/cmov/librt-2.7.so
b6e83000-b6ea3000 r-xp 00000000 fe:00 6180976
/usr/lib/libssh2.so.1.0.0
b6ea3000-b6ea4000 rw-p 0001f000 fe:00 6180976
/usr/lib/libssh2.so.1.0.0
b6ea4000-b6ed4000 r-xp 00000000 fe:00 6177806
/usr/lib/libidn.so.11.5.37
b6ed4000-b6ed5000 rw-p 00030000 fe:00 6177806
/usr/lib/libidn.so.11.5.37
b6ed5000-b6f08000 r-xp 00000000 fe:00 6179058
/usr/lib/libxslt.so.1.1.24
b6f08000-b6f09000 rw-p 00033000 fe:00 6179058
/usr/lib/libxslt.so.1.1.24
b6f09000-b6f4b000 r-xp 00000000 fe:00 6176997
/usr/lib/libcurl.so.4.1.0
b6f4b000-b6f4c000 rw-p 00041000 fe:00 6176997
/usr/lib/libcurl.so.4.1.0
b6f4c000-b6f4d000 rw-p b6f4c000 00:00 0
b6f4d000-b6f8f000 r-xp 00000000 fe:00 6178279 /usr/lib/libgmp.so.3.4.2
b6f8f000-b6f90000 rw-p 00042000 fe:00 6178279 /usr/lib/libgmp.so.3.4.2
b6f90000-b6fad000 r-xp 00000000 fe:00 6192008 /usr/lib/libpq.so.5.1
b6fad000-b6fae000 rw-p 0001d000 fe:00 6192008 /usr/lib/libpq.so.5.1
b6fae000-b7007000 r-xp 00000000 fe:00 6179774
/usr/lib/libsqlite3.so.0.8.6
b7007000-b7009000 rw-p 00058000 fe:00 6179774
/usr/lib/libsqlite3.so.0.8.6
b7009000-b71aa000 r-xp 00000000 fe:00 6176862
/usr/lib/libmysqlclient.so.15.0.0
b71aa000-b71ee000 rw-p 001a0000 fe:00 6176862
/usr/lib/libmysqlclient.so.15.0.0
b71ee000-b71ef000 rw-p b71ee000 00:00 0
b71ef000-b7240000 r-xp 00000000 fe:00 5904125
/usr/lib/libraptor.so.1.1.0
b7240000-b7242000 rw-p 00051000 fe:00 5904125
/usr/lib/libraptor.so.1.1.0
b7242000-b7273000 r-xp 00000000 fe:00 6180883
/usr/lib/librasqal.so.0.0.0
b7273000-b7274000 rw-p 00031000 fe:00 6180883
/usr/lib/librasqal.so.0.0.0
b7274000-b72b0000 r-xp 00000000 fe:00 6179811 /usr/lib/librdf.so.0.0.0
b72b0000-b72b1000 rw-p 0003b000 fe:00 6179811 /usr/lib/librdf.so.0.0.0
b72b1000-b72ce000 r-xp 00000000 fe:00 10551743
/usr/lib/php5/20060613+lfs/redland.so
b72ce000-b72d0000 rw-p 0001d000 fe:00 10551743
/usr/lib/php5/20060613+lfs/redland.so
b72d0000-b72e3000 r-xp 00000000 fe:00 6619220
/usr/lib/php5/20060613+lfs/pdo.so
b72e3000-b72e5000 rw-p 00013000 fe:00 6619220
/usr/lib/php5/20060613+lfs/pdo.so
b72e5000-b72fc000 r-xp 00000000 fe:00 6620354
/usr/lib/php5/20060613+lfs/mysqli.so
b72fc000-b72fe000 rw-p 00016000 fe:00 6620354
/usr/lib/php5/20060613+lfs/mysqli.so
b72fe000-b74a1000 r-xp 00000000 fe:00 6176776
/usr/lib/libmysqlclient_r.so.15.0.0
b74a1000-b74e5000 rw-p 001a2000 fe:00 6176776
/usr/lib/libmysqlclient_r.so.15.0.0
b74e5000-b74e6000 rw-p b74e5000 00:00 0
b74ec000-b74f0000 r-xp 00000000 fe:00 6179097
/usr/lib/libnss_db-2.2.3.so
b74f0000-b74f1000 rw-p 00004000 fe:00 6179097
/usr/lib/libnss_db-2.2.3.so
b74f1000-b74f7000 r-xp 00000000 fe:00 6619221
/usr/lib/php5/20060613+lfs/xsl.so
b74f7000-b74f8000 rw-p 00005000 fe:00 6619221
/usr/lib/php5/20060613+lfs/xsl.so
b74f8000-b755e000 r-xp 00000000 fe:00 6181413
/usr/lib/libgcrypt.so.11.4.4
b755e000-b7560000 rw-p 00066000 fe:00 6181413
/usr/lib/libgcrypt.so.11.4.4
b7560000-b756f000 r-xp 00000000 fe:00 6178892
/usr/lib/libtasn1.so.3.0.15
b756f000-b7570000 rw-p 0000e000 fe:00 6178892
/usr/lib/libtasn1.so.3.0.15
b7570000-b75e3000 r-xp 00000000 fe:00 6186627
/usr/lib/libgnutls.so.26.1.6
b75e3000-b75e9000 rw-p 00072000 fe:00 6186627
/usr/lib/libgnutls.so.26.1.6
b75e9000-b75f5000 r-xp 00000000 fe:00 6178125
/usr/lib/liblber-2.4.so.2.0.5
b75f5000-b75f6000 rw-p 0000c000 fe:00 6178125
/usr/lib/liblber-2.4.so.2.0.5
b75f6000-b7634000 r-xp 00000000 fe:00 6182027
/usr/lib/libldap_r-2.4.so.2.0.5
b7634000-b7636000 rw-p 0003d000 fe:00 6182027
/usr/lib/libldap_r-2.4.so.2.0.5
b7636000-b7637000 rw-p b7636000 00:00 0
b7637000-b764d000 r-xp 00000000 fe:00 6177723
/usr/lib/libsasl2.so.2.0.22
b764d000-b764e000 rw-p 00015000 fe:00 6177723
/usr/lib/libsasl2.so.2.0.22
b764e000-b7654000 r-xp 00000000 fe:00 6620355
/usr/lib/php5/20060613+lfs/pdo_mysql.so
b7654000-b7655000 rw-p 00005000 fe:00 6620355
/usr/lib/php5/20060613+lfs/pdo_mysql.so
b7655000-b765f000 r-xp 00zsh: abort php test.php
ket%
--
Edit bug report at http://bugs.php.net/?id=45251&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=45251&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=45251&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=45251&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=45251&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=45251&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=45251&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=45251&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=45251&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=45251&r=support
Expected behavior: http://bugs.php.net/fix.php?id=45251&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=45251&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=45251&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=45251&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45251&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=45251&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=45251&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=45251&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=45251&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=45251&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=45251&r=mysqlcfg
