From 43b8ee7c1b65f87b0f0ce303617e8dd806803b15 Mon Sep 17 00:00:00 2001 From: Tim Toohey Date: Sat, 4 Apr 2015 13:05:38 +1100 Subject: [PATCH 1/3] Fix #69373 References to deleted XPath query results Increment node reference count for nodes created in php_xpath_eval() --- ext/dom/xpath.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ext/dom/xpath.c b/ext/dom/xpath.c index 1fb6574695a46..6153c5bd83b2b 100644 --- a/ext/dom/xpath.c +++ b/ext/dom/xpath.c @@ -464,6 +464,7 @@ static void php_xpath_eval(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ node->ns = curns; } php_dom_create_object(node, &child, &intern->dom); + php_libxml_increment_node_ptr((php_libxml_node_object *)intern, (xmlNodePtr)node, (void *)intern); add_next_index_zval(&retval, &child); } } From 26463a829c0f028976b53c81a9d69dd72dbd211a Mon Sep 17 00:00:00 2001 From: Tim Toohey Date: Sun, 5 Apr 2015 20:04:00 +1000 Subject: [PATCH 2/3] revert 43b8ee7c1b65f87 --- ext/dom/xpath.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ext/dom/xpath.c b/ext/dom/xpath.c index 6153c5bd83b2b..1fb6574695a46 100644 --- a/ext/dom/xpath.c +++ b/ext/dom/xpath.c @@ -464,7 +464,6 @@ static void php_xpath_eval(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ node->ns = curns; } php_dom_create_object(node, &child, &intern->dom); - php_libxml_increment_node_ptr((php_libxml_node_object *)intern, (xmlNodePtr)node, (void *)intern); add_next_index_zval(&retval, &child); } } From 88d9bd0564dc1b64f885d79b0c3ed1d55dfeafbf Mon Sep 17 00:00:00 2001 From: Tim Toohey Date: Sun, 5 Apr 2015 20:09:31 +1000 Subject: [PATCH 3/3] Fix #69373 References to deleted XPath query results Prevent double-free from write to nodeValue. xmlNodeSetContentLen calls xmlFreeNode() on the node children. This results in references to those children having pointers to free'ed memory. This fix prevents the call to xmlFreeNode(). --- ext/dom/node.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ext/dom/node.c b/ext/dom/node.c index 971c727b58037..8e9388d7329d8 100644 --- a/ext/dom/node.c +++ b/ext/dom/node.c @@ -337,6 +337,7 @@ int dom_node_node_value_write(dom_object *obj, zval *newval) case XML_ATTRIBUTE_NODE: if (nodep->children) { node_list_unlink(nodep->children); + nodep->children = NULL; } case XML_TEXT_NODE: case XML_COMMENT_NODE: