From b3a2fffb83c223b01c7be04d97833ad8f3598c5c Mon Sep 17 00:00:00 2001 From: Rob Richards Date: Sat, 14 Jun 2008 11:24:00 +0000 Subject: [PATCH] MFH: fixed bug #45251 (double free or corruption with setAttributeNode()) add test --- ext/dom/element.c | 8 ++++++++ ext/dom/tests/bug45251.phpt | 30 ++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 ext/dom/tests/bug45251.phpt diff --git a/ext/dom/element.c b/ext/dom/element.c index 0e66ad053e..0171496265 100644 --- a/ext/dom/element.c +++ b/ext/dom/element.c @@ -585,6 +585,10 @@ PHP_FUNCTION(dom_element_set_attribute_node) xmlUnlinkNode((xmlNodePtr) existattrp); } + if (attrp->parent != NULL) { + xmlUnlinkNode((xmlNodePtr) attrp); + } + if (attrp->doc == NULL && nodep->doc != NULL) { attrobj->document = intern->document; php_libxml_increment_doc_ref((php_libxml_node_object *)attrobj, NULL TSRMLS_CC); @@ -998,6 +1002,10 @@ PHP_FUNCTION(dom_element_set_attribute_node_ns) xmlUnlinkNode((xmlNodePtr) existattrp); } + if (attrp->parent != NULL) { + xmlUnlinkNode((xmlNodePtr) attrp); + } + if (attrp->doc == NULL && nodep->doc != NULL) { attrobj->document = intern->document; php_libxml_increment_doc_ref((php_libxml_node_object *)attrobj, NULL TSRMLS_CC); diff --git a/ext/dom/tests/bug45251.phpt b/ext/dom/tests/bug45251.phpt new file mode 100644 index 0000000000..652e3b2530 --- /dev/null +++ b/ext/dom/tests/bug45251.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #45251 (double free or corruption with setAttributeNode()) +--SKIPIF-- + +--FILE-- +loadXml(<< + + + +EOF +); + +$xpath = new DOMXPath($doc); + +$bbb = $xpath->query('bbb', $doc->documentElement)->item(0); + +$ccc = $doc->createElement('ccc'); +foreach ($bbb->attributes as $attr) +{ + $ccc->setAttributeNode($attr); +} + +echo $attr->parentNode->localName; + +?> +--EXPECT-- +ccc -- 2.40.0