You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
c_DOMDocument::t_getelementbyid() caches a pointer to the associated c_DOMElement object in the node struct's "_private" member, but fails to increment the reference count. Thus a use-after-free situation can easily be encountered:
In debug mode, this will assert in assert_refcount_realistic_ns(), with refcount=0x6a6a6a6a. In release mode, it will return the freed object to the userspace and most likely will crash some time later, as in https://bugzilla.wikimedia.org/show_bug.cgi?id=65703
c_DOMDocument::t_getelementbyid() caches a pointer to the associated c_DOMElement object in the node struct's "_private" member, but fails to increment the reference count. Thus a use-after-free situation can easily be encountered:
In debug mode, this will assert in assert_refcount_realistic_ns(), with refcount=0x6a6a6a6a. In release mode, it will return the freed object to the userspace and most likely will crash some time later, as in https://bugzilla.wikimedia.org/show_bug.cgi?id=65703
Git blame implicates b568bf9 #2314 @chalet16
The text was updated successfully, but these errors were encountered: