Home Original page

replaceChild() when previousSibling is NULL

Bug #32615 Segfault in DOMNode::replaceChild() when previousSibling is NULL
Submitted: 2005-04-07 02:14 UTC Modified: 2005-04-08 18:01 UTC
From: james at safesearching dot com Assigned: rrichards (profile)
Status: Closed Package: DOM XML related
PHP Version: 5.0.4 OS: Redhat 7.3
Private report: No CVE-ID: None

 [2005-04-07 02:14 UTC] james at safesearching dot com

Description:
------------
Segfaults occurs when calling DOMNode::replaceChild() if previousSibling is NULL and nextSibling is not NULL.

The segfault occurs on line 1150 of ext/dom/node.c. The relevant code being:

if (prevsib == NULL && nextsib == NULL) {
    nodep->children = newchild;
    nodep->last = fragment->last;
} else {
    if (newchild) {
        prevsib->next = newchild;    <--- segfault is here
        newchild->prev = prevsib;

        fragment->last->next = nextsib;
        if (nextsib) {
            nextsib->prev = fragment->last;
        } else {
            nodep->last = fragment->last;
        }
    }
}

The code doesn't check for the possibility that prevsib == NULL and nextsib != NULL.

Reproduce code:
---------------
<?php

header('Content-type: text/plain;');

$xml = "<root><first/><second/></root>\n";
$dom = new DomDocument;

$dom->loadXML($xml);

$root = $dom->documentElement;
$node = $dom->createElement('newfirst');
$frag = $dom->createDocumentFragment();

$frag->appendChild($node);
$root->replaceChild($frag, $root->firstChild);

print_r($dom->saveXML());

?>


Expected result:
----------------
<?xml version="1.0"?>
<root><newfirst/><second/></root>

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 4477)]
0x403490ac in zif_dom_node_replace_child (ht=2, return_value=0x814822c,
    this_ptr=0x81452c4, return_value_used=0)
    at /home/james/php-5.0.4/ext/dom/node.c:1150
1150                                            prevsib->next = newchild;
(gdb) bt
#0  0x403490ac in zif_dom_node_replace_child (ht=2, return_value=0x814822c,
    this_ptr=0x81452c4, return_value_used=0)
    at /home/james/php-5.0.4/ext/dom/node.c:1150
#1  0x4047ac3a in zend_do_fcall_common_helper (execute_data=0xbfffb4c0,
    opline=0x814a310, op_array=0x81451cc)
    at /home/james/php-5.0.4/Zend/zend_execute.c:2727
#2  0x4047b1a7 in zend_do_fcall_by_name_handler (execute_data=0xbfffb4c0,
    opline=0x814a310, op_array=0x81451cc)
    at /home/james/php-5.0.4/Zend/zend_execute.c:2841
#3  0x40477a55 in execute (op_array=0x81451cc)
    at /home/james/php-5.0.4/Zend/zend_execute.c:1406
#4  0x404530e3 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/james/php-5.0.4/Zend/zend.c:1069
#5  0x404123b8 in php_execute_script (primary_file=0xbfffd820)
    at /home/james/php-5.0.4/main/main.c:1632
#6  0x40482442 in apache_php_module_main (r=0x8138480, display_source_mode=0)
    at /home/james/php-5.0.4/sapi/apache/sapi_apache.c:54
#7  0x4048310c in send_php (r=0x8138480, display_source_mode=0,
    filename=0x8139f88 "/var/www/html/test1.php")
    at /home/james/php-5.0.4/sapi/apache/mod_php5.c:622
#8  0x40483165 in send_parsed_php (r=0x8138480)
    at /home/james/php-5.0.4/sapi/apache/mod_php5.c:637
#9  0x0805480d in ap_invoke_handler ()
#10 0x08067b0c in process_request_internal ()
#11 0x08067b83 in ap_process_request ()
#12 0x0805fc97 in child_main ()
#13 0x0805fe3a in make_child ()
#14 0x0805ff7d in startup_children ()
#15 0x080605d0 in standalone_main ()
#16 0x08060ed3 in main ()
#17 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2005-04-08 18:01 UTC] rrichards@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.