MFH: fixed bug #45251 (double free or corruption with setAttributeNode())

add test

diff --git a/ext/dom/element.c b/ext/dom/element.c
index 0e66ad053e08da0ebc8f7c8d9412967e0915340e..01714962654147f28c28466b4fbbdadf59e98761 100644 (file)
--- a/ext/dom/element.c
+++ b/ext/dom/element.c
@@ -585,6 +585,10 @@ PHP_FUNCTION(dom_element_set_attribute_node)
                xmlUnlinkNode((xmlNodePtr) existattrp);
        }
 
+       if (attrp->parent != NULL) {
+               xmlUnlinkNode((xmlNodePtr) attrp);
+       }
+
        if (attrp->doc == NULL && nodep->doc != NULL) {
                attrobj->document = intern->document;
                php_libxml_increment_doc_ref((php_libxml_node_object *)attrobj, NULL TSRMLS_CC);
@@ -998,6 +1002,10 @@ PHP_FUNCTION(dom_element_set_attribute_node_ns)
                xmlUnlinkNode((xmlNodePtr) existattrp);
        }
 
+       if (attrp->parent != NULL) {
+               xmlUnlinkNode((xmlNodePtr) attrp);
+       }
+
        if (attrp->doc == NULL && nodep->doc != NULL) {
                attrobj->document = intern->document;
                php_libxml_increment_doc_ref((php_libxml_node_object *)attrobj, NULL TSRMLS_CC);

diff --git a/ext/dom/tests/bug45251.phpt b/ext/dom/tests/bug45251.phpt
new file mode 100644 (file)
index 0000000..652e3b2
--- /dev/null
+++ b/ext/dom/tests/bug45251.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #45251 (double free or corruption with setAttributeNode())
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$doc = new DOMDocument;
+$doc->loadXml(<<<EOF
+<?xml version="1.0" encoding="utf-8" ?>
+<aaa>
+  <bbb foo="bar"/>
+</aaa>
+EOF
+);
+
+$xpath = new DOMXPath($doc);
+
+$bbb = $xpath->query('bbb', $doc->documentElement)->item(0);
+
+$ccc = $doc->createElement('ccc');
+foreach ($bbb->attributes as $attr)
+{
+  $ccc->setAttributeNode($attr);
+}
+
+echo $attr->parentNode->localName;
+
+?>
+--EXPECT--
+ccc