Conversation
|
your fix looks correct but maybe @smalyshev would like to have a look first. |
|
I think it is a fix worth having, the UAF issue is real if @cmb69 or another dom sensei can look at it, it would be appreciated :-) |
|
Indeed, that UAF is ugly, but I'm not sure whether this patch wouldn't leak memory. I'll have a closer look ASAP. |
|
Not really sure what to do here; apparently, the implementation is broken. E.g. $doc = new \DOMDocument();
$doc->loadXML('<a>foo<last/></a>');
$target = $doc->documentElement->firstChild;
$target->before($target, 'baz', 'cat');
echo $doc->saveXML($doc->documentElement).PHP_EOL;segfaults with and without the patch. Or the following: $doc = new \DOMDocument();
$doc->loadXML('<a>foo<last/></a>');
$target = $doc->documentElement->lastChild;
$target->before('baz', 'cat', $target);
echo $doc->saveXML($doc->documentElement).PHP_EOL;hangs without the patch, and still has a double free with it. But besides that, it outputs
|
|
Confusingly, let me see what caused the segment fault. |
|
Hi, I have a question. @cmb69 $doc = new \DOMDocument();
$doc->loadXML('<a>foo<last/></a>');
$target = $doc->documentElement->firstChild;
$target->before($target, 'baz', 'cat');
echo $doc->saveXML($doc->documentElement).PHP_EOL; |
|
I think that code should output: |
Thanks. |
|
Thank you! On a quick glance, this looks much better. Maybe @beberlei wants to review. |
|
Thanks. |
|
I gave a shot at your branch locally, no leaks neither. |
|
Since it is a bugfix there is still a bit time :-) however, at worse, @cmb69 will have the final word. |
|
@devnexen @cmb69 @beberlei @smalyshev |
|
@beberlei |
This furthermore fixes the logic error explained in #8729 (comment) Closes GH-10682.
|
Thanks for your interest in ext/dom. |
4 participants
https://bugs.php.net/bug.php?id=80602
If the number of parameters is greater than or equal to three,
xmlNewDocTextfunction always returns a pointer that point to$doc->documentElement->firstChild.https://bugs.php.net/bug.php?id=81642
#9142