From: sungta <tadinhsung@gmail.com>
Date: Wed, 12 Jul 2017 17:02:59 +0700
Subject: [2/8] bug use after free in replaceChild
Origin: https://github.com/shlomif/perl-XML-LibXML/commit/7188660dba5f9c339005766062305d58fa0f757c
Bug-Debian: https://bugs.debian.org/866676
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10672
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=122246

test case for use after free in replaceChild
---
 t/ufa.t | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 t/ufa.t

diff --git a/t/ufa.t b/t/ufa.t
new file mode 100644
index 0000000..ef3ce9d
--- /dev/null
+++ b/t/ufa.t
@@ -0,0 +1,10 @@
+#test bug use after free in function replaceChild
+use XML::LibXML;
+BEGIN { $| = 1 }
+my $data='<mipu94><pwn4fun><ufanode>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</ufanode></pwn4fun></mipu94>';
+
+my $parser = XML::LibXML->new();
+my $info = $parser->load_xml(string=>$data) or die;
+my $root = $info->findnodes("mipu94")->[0];
+my $ufanode = $root->findnodes("pwn4fun/ufanode")->[0];
+$root->replaceChild($ufanode,$ufanode);
\ No newline at end of file
-- 
2.15.0.rc2