Skip to content

Assertion failure in DOM->replaceChild #16593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chibinz opened this issue Oct 25, 2024 · 0 comments
Closed

Assertion failure in DOM->replaceChild #16593

chibinz opened this issue Oct 25, 2024 · 0 comments
Assignees
@nielsdos
Labels
Bug Extension: dom Status: Verified

Comments

@chibinz
Copy link

chibinz commented Oct 25, 2024

Description

The following code:

<?php

$v1 = new DOMElement ( "xm" , "y" , "z" );
$v2 = new DOMAttr ( "v" );
$v3 = new DOMElement ( "RF" , "fV" );
$v6 = new DOMDocument ( "Av" );
$v7 = new DOMElement ( "mh" , null , "m" );

$v3 -> replaceChildren ( $v7 );
$v7 -> prepend ( $v1 );
$v6 -> insertBefore ( $v3 );
$v7 -> replaceChild ( $v2 , $v1 );

Resulted in this output:

php: /tmp/php-asan/ext/dom/php_dom.c:2032: void dom_reconcile_ns(xmlDocPtr, xmlNodePtr): Assertion `nodep->type != XML_ATTRIBUTE_NODE' failed.

PHP Version

PHP 8.5.0-dev

Operating System

No response
@devnexen devnexen assigned devnexen and nielsdos and unassigned devnexen Oct 25, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Oct 25, 2024
@nielsdos
Fix phpGH-16593: Assertion failure in DOM->replaceChild
58cead1 
This is already forbidden by libxml, but this condition isn't properly
checked; so the return value and lack of error makes it seem like it
worked while it actually didn't. Furthermore, this can break assumptions
and assertions later on.
@nielsdos nielsdos linked a pull request Oct 25, 2024 that will close this issue
Fix GH-16593: Assertion failure in DOM->replaceChild #16596
Closed
nielsdos added a commit that referenced this issue Oct 28, 2024
@nielsdos
Merge branch 'PHP-8.2' into PHP-8.3
ed21ebd 
* PHP-8.2:
  Fix GH-16595: Another UAF in DOM -> cloneNode
  Fix GH-16593: Assertion failure in DOM->replaceChild
nielsdos added a commit that referenced this issue Oct 28, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
6e82ae9 
* PHP-8.3:
  Fix GH-16595: Another UAF in DOM -> cloneNode
  Fix GH-16593: Assertion failure in DOM->replaceChild
nielsdos added a commit that referenced this issue Oct 28, 2024
@nielsdos
Merge branch 'PHP-8.4'
99cdd67 
* PHP-8.4:
  Fix GH-16595: Another UAF in DOM -> cloneNode
  Fix GH-16593: Assertion failure in DOM->replaceChild
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: dom Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-16593: Assertion failure in DOM->replaceChild nielsdos/php-src
3 participants
@devnexen @nielsdos @chibinz