mirror of
https://github.com/php/php-src.git
synced 2026-03-24 00:02:20 +01:00
d4a4d2e7a9
The reference counts of the internal document pointer are mismanaged. In the case of fragments the refcount may be increased too much, while for other cases the document reference may not be applied to all children. This bug existed for a long time and this doesn't reproduce (easily) on 8.2 due to other bugs. Furthermore 8.2 will enter security mode soon, and this change may be too risky. Fixes GH-16150. Fixed GH-16152. Closes GH-16178.
28 lines
531 B
PHP
28 lines
531 B
PHP
--TEST--
|
|
GH-16150 (Use after free in php_dom.c)
|
|
--EXTENSIONS--
|
|
dom
|
|
--FILE--
|
|
<?php
|
|
|
|
function test($fname) {
|
|
$e1 = new DOMElement("E1");
|
|
$e2 = new DOMElement("E2");
|
|
$e3 = new DOMElement("E3");
|
|
$doc = new DOMDocument(); // Must be placed here so it is destroyed first
|
|
$doc->{$fname}($e3);
|
|
$e2->append($e1);
|
|
$e3->{$fname}($e2);
|
|
echo $doc->saveXML();
|
|
}
|
|
|
|
test('appendChild');
|
|
test('insertBefore');
|
|
|
|
?>
|
|
--EXPECT--
|
|
<?xml version="1.0"?>
|
|
<E3><E2><E1/></E2></E3>
|
|
<?xml version="1.0"?>
|
|
<E3><E2><E1/></E2></E3>
|