Skip to content

ext/dom: Fix double-free of namespaces on OOM during parsing.#22539

Draft
devnexen wants to merge 2 commits into
php:masterfrom
devnexen:gh22522
Draft

ext/dom: Fix double-free of namespaces on OOM during parsing.#22539
devnexen wants to merge 2 commits into
php:masterfrom
devnexen:gh22522

Conversation

@devnexen

@devnexen devnexen commented Jul 1, 2026

Copy link
Copy Markdown
Member

Fix #22522

php_dom_ns_compat_mark_attribute_list() cleared node->nsDef only after moving every namespace onto doc->oldNs, so a bailout mid-loop (e.g. OOM) left both lists owning the same namespaces, double-freeing them on teardown. Move each namespace to oldNs before the allocating calls so it is only ever owned by one list.

Fix php#22522

php_dom_ns_compat_mark_attribute_list() cleared node->nsDef only after
moving every namespace onto doc->oldNs, so a bailout mid-loop (e.g. OOM)
left both lists owning the same namespaces, double-freeing them on teardown.
Move each namespace to oldNs before the allocating calls so it is only ever
owned by one list.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ASan double-free DOM XML php_libxml_decrement_doc_ref_directly

1 participant