MFH: fixed bug #45251 (double free or corruption with setAttributeNode())

add test

2 files changed, 38 insertions, 0 deletions

diff --git a/ext/dom/element.c b/ext/dom/element.c
index 6c6aa17808..a8a1e126d6 100644
--- a/ext/dom/element.c
+++ b/ext/dom/element.c
@@ -592,6 +592,10 @@ PHP_FUNCTION(dom_element_set_attribute_node)
 		xmlUnlinkNode((xmlNodePtr) existattrp);
 	}
 
+	if (attrp->parent != NULL) {
+		xmlUnlinkNode((xmlNodePtr) attrp);
+	}
+
 	if (attrp->doc == NULL && nodep->doc != NULL) {
 		attrobj->document = intern->document;
 		php_libxml_increment_doc_ref((php_libxml_node_object *)attrobj, NULL TSRMLS_CC);
@@ -1012,6 +1016,10 @@ PHP_FUNCTION(dom_element_set_attribute_node_ns)
 		xmlUnlinkNode((xmlNodePtr) existattrp);
 	}
 
+	if (attrp->parent != NULL) {
+		xmlUnlinkNode((xmlNodePtr) attrp);
+	}
+
 	if (attrp->doc == NULL && nodep->doc != NULL) {
 		attrobj->document = intern->document;
 		php_libxml_increment_doc_ref((php_libxml_node_object *)attrobj, NULL TSRMLS_CC);
diff --git a/ext/dom/tests/bug45251.phpt b/ext/dom/tests/bug45251.phpt
new file mode 100644
index 0000000000..652e3b2530
--- /dev/null
+++ b/ext/dom/tests/bug45251.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #45251 (double free or corruption with setAttributeNode())
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$doc = new DOMDocument;
+$doc->loadXml(<<<EOF
+<?xml version="1.0" encoding="utf-8" ?>
+<aaa>
+  <bbb foo="bar"/>
+</aaa>
+EOF
+);
+
+$xpath = new DOMXPath($doc);
+
+$bbb = $xpath->query('bbb', $doc->documentElement)->item(0);
+
+$ccc = $doc->createElement('ccc');
+foreach ($bbb->attributes as $attr)
+{
+  $ccc->setAttributeNode($attr);
+}
+
+echo $attr->parentNode->localName;
+
+?>
+--EXPECT--
+ccc