diff options
| author | Christoph M. Becker <cmb@php.net> | 2016-07-15 00:57:36 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmb@php.net> | 2016-07-15 01:08:08 +0200 |
| commit | a4aa4f9772a6c30f69db8560cde1f5fe4545b174 (patch) | |
| tree | ad0097c2d52ec1f54a9fb651916d7a750bcc4619 /ext | |
| parent | 1c84b55adea936b065a20102202bea3d1d243225 (diff) | |
| download | php-git-a4aa4f9772a6c30f69db8560cde1f5fe4545b174.tar.gz | |
Fix bug #66502: DOM document dangling reference
When we decrement the refcount of a node's document, we state that we
won't need it anymore. Therefore we can *always* set the pointer to the
document to NULL, what avoids invalid memory accesses for some edge cases
as demonstrated with the PHPT.
Original patch provided by Sean Heelan.
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/dom/tests/bug66502.phpt | 20 | ||||
| -rw-r--r-- | ext/libxml/libxml.c | 2 |
2 files changed, 21 insertions, 1 deletions
diff --git a/ext/dom/tests/bug66502.phpt b/ext/dom/tests/bug66502.phpt new file mode 100644 index 0000000000..5b35b41e93 --- /dev/null +++ b/ext/dom/tests/bug66502.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #66502 (DOM document dangling reference) +--SKIPIF-- +<?php +if (!extension_loaded('dom')) die('skip requires ext/dom'); +?> +--FILE-- +<?php +$dom = new DOMDocument('1.0', 'UTF-8'); +$element = $dom->appendChild(new DOMElement('root')); +$comment = new DOMComment("Comment 0"); +$comment = $element->appendChild($comment); + +$comment->__construct("Comment 1"); +$comment->__construct("Comment 2"); +$comment->__construct("Comment 3"); +echo 'DONE', PHP_EOL; +?> +--EXPECT-- +DONE
\ No newline at end of file diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c index bd0016b79f..b252cb6d81 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c @@ -1272,8 +1272,8 @@ PHP_LIBXML_API int php_libxml_decrement_doc_ref(php_libxml_node_object *object T efree(object->document->doc_props); } efree(object->document); - object->document = NULL; } + object->document = NULL; } return ret_refcount; |