php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #13322 Still SIGSEGV with DOMXML / double free()
Submitted: 2001-09-15 17:17 UTC Modified: 2002-01-12 06:48 UTC
From: ih at fido dot cz Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.0CVS-2001-09-15 OS: Debian Linux 2.2
Private report: No CVE-ID: None
View Developer Edit
 [2001-09-15 17:17 UTC] ih at fido dot cz 
DOMXML still has problem with SIGSEGV. Now, after shutdown, php_free_xml_dom got NULL pointer and xmlFreeDoc double free or what. I hope, that problem is in mine, but joey please look at this.

My script:
--- test.php ---
<?php
$doc = xmldocfile('./test.xml');
?>

--- text.xml ---
<?xml version="1.0" encoding="iso-8859-2"?><root>
  <nothing/>
</root>

And result is:

Program received signal SIGSEGV, Segmentation fault.
0x40208860 in free () from /lib/libc.so.6
(gdb) bt
#0  0x40208860 in free () from /lib/libc.so.6
#1  0x400b0ca9 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#2  0x400b0c67 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#3  0x400af18c in xmlFreeDoc () from /usr/lib/libxml2.so.2
#4  0x808522d in php_free_xml_doc (rsrc=0x8290e24) at 
#5  0x813385a in list_entry_destructor (ptr=0x8290e24) at zend_list.c:177
#6  0x8133a45 in zend_destroy_rsrc_list (ht=0x8202a64) at zend_list.c:248
#7  0x8122a10 in shutdown_executor () at zend_execute_API.c:190
#8  0x812c2d6 in zend_deactivate () at zend.c:595
#9  0x8078def in php_request_shutdown (dummy=0x0) at main.c:736
#10 0x8138294 in apache_php_module_main (r=0x8283de4, display_source_mode=0)
    at sapi_apache.c:96
#11 0x8076446 in send_php ()
#12 0x80764a2 in send_parsed_php ()
#13 0x815fdd9 in ap_invoke_handler ()
#14 0x817475f in process_request_internal ()
#15 0x8174bb6 in ap_internal_redirect ()
#16 0x815236d in mod_gzip_redir1_handler ()
#17 0x8150c02 in mod_gzip_handler ()
#18 0x815fdd9 in ap_invoke_handler ()
#19 0x817475f in process_request_internal ()
#20 0x81747c6 in ap_process_request ()
#21 0x816b6d6 in child_main ()
#22 0x816b891 in make_child ()
#23 0x816ba0c in startup_children ()
#24 0x816c07c in standalone_main ()
#25 0x816c8ac in main ()
#26 0x401b364f in __libc_start_main () from /lib/libc.so.6


I try to debug and:
=php_domxml.c(v1.74):2269 in xmldocfile()
..
docp = xmlParseFile(Z_STRVAL_P(arg));
...
=print *docp
{_private = 0x0, type = XML_DOCUMENT_NODE, name = 0x0,
  children = 0x82b0658, last = 0x82b0658, parent = 0x0, next
= 0x0,
  prev = 0x0, doc = 0x82b05c0, compression = -1, standalone = -1,
  intSubset = 0x0, extSubset = 0x0, oldNs = 0x0, version = 0x82b0618 "1.0",
  encoding = 0x82b06e8 "iso-8859-2", ids = 0x0, refs = 0x0,
  URL = 0x82b0628 "./test.xml", charset = 1}.
=

look's like file was parsed without problem, *return_value look's good. But zend_list_addref(ret) return ret, not return_value. Is it right?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-09-15 17:27 UTC] ih at fido dot cz 
ii  libc6          2.2.4-1        GNU C Library: Shared libraries
ii  libc6-dbg      2.2.4-1        GNU C Library: Libraries with
ii  libc6-dev      2.2.4-1        GNU C Library: Development Lib
ii  libxml1        1.8.15-1       GNOME XML library
ii  libxml2        2.4.3-1        GNOME XML library
ii  libxml2-dev    2.4.3-1        Development files for the GNOM
ii  libxmltok1     1.1-6          XML Parser Toolkit, runtime libraries

APACHE:
Server version: Apache/1.3.20 (Unix)
Server built:   Sep 15 2001 22:10:37
Server's Module Magic Number: 19990320:10
Server compiled with....
 -D HAVE_MMAP
 -D HAVE_SHMGET
 -D USE_SHMGET_SCOREBOARD.
 -D USE_MMAP_FILES
 -D USE_SYSVSEM_SERIALIZED_ACCEPT
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D HTTPD_ROOT="/rscr/apprscr2"
 -D SUEXEC_BIN="/rscr/apprscr2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
 -D DEFAULT_LOCKFILE="logs/httpd.lock"
 -D DEFAULT_XFERLOG="logs/access_log"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
 -D ACCESS_CONFIG_FILE="conf/access.conf"
 -D RESOURCE_CONFIG_FILE="conf/srm.conf"
Compiled-in modules:
  http_core.c
  mod_log_config.c
  mod_mime.c
  mod_status.c
  mod_dir.c
  mod_alias.c
  mod_rewrite.c
  mod_access.c
  mod_auth.c
  mod_setenvif.c
  mod_php4.c
  mod_gzip.c
EXTRA_CFLAGS=-DDYNAMIC_MODULE_LIMIT=0 ./configure
                --prefix=/rscr/apprscr2 \
                --with-layout=Apache \
                --disable-module=env \
                --disable-module=negotiation \
                --disable-module=userdir \
                --disable-module=asis \
                --disable-module=include \
                --disable-module=cgi \
                --disable-module=actions \
                --disable-module=imap \
                --disable-module=autoindex \
                --enable-module=dir \
                --enable-module=rewrite \
                --enable-module=alias \
                --enable-module=setenvif \
                --activate-module=src/modules/php4/libphp4.a \
               --activate-module=src/modules/gzip/mod_gzip.o


PHP4_SNAPSHOT: php4-200109151335
/configure --prefix=/rscr/apprscr2 \
                --with-apache=../apache_1.3.20 \
                --with-config-file-path=/rscr/apprscr2/conf \
                --with-pear=/rscr/pear2 \
                --with-regex=system \
                --enable-debug \
                --enable-track-vars \
                --enable-trans-sid \
                --disable-rpath \
                --enable-session \
                --enable-memory-limit \
                --enable-sysvsem \
                --enable-sysvshm \
                --enable-shmop \
                --enable-ctype \
                --enable-sockets \
                --enable-exif \
                --with-jpeg-dir=shared,/usr \
                --with-xpm-dir=shared,/usr/X11R6 \
                --with-png-dir=shared,/usr \
                --with-ttf=shared,/usr \
                --with-t1lib=shared,/usr \
                --with-mm \
                --with-pcre-regex=/usr \
                --without-pgsql \
                --with-mysql=/usr \
                --with-dom=/usr \
                --with-zlib=/usr \
                --with-iconv=/usr
 [2001-09-15 17:31 UTC] joey@php.net 
I cannot duplicate this with current CVS...are
you absolutely SURE you are using most recent CVS?
 [2001-09-15 17:47 UTC] ih at fido dot cz 
I've got php4-200109151335.tar.bz from http://snaps.php.net. I can try last one http://snaps.php.net:8000/php4-200109151635.tar.bz2.
 [2001-09-15 18:17 UTC] ih at fido dot cz 
Problem is still here in last CVS. Standalone php (cgi) same problem.

Program received signal SIGSEGV, Segmentation fault.
0x401fab13 in free () from /lib/libc.so.6
(gdb) bt
#0  0x401fab13 in free () from /lib/libc.so.6
#1  0x401fa873 in free () from /lib/libc.so.6
#2  0x400efca9 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#3  0x400efc67 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#4  0x400ee18c in xmlFreeDoc () from /usr/lib/libxml2.so.2
#5  0x806f05d in php_free_xml_doc (rsrc=0x81dae54) at php_domxml.c:353
#6  0x811d85a in list_entry_destructor (ptr=0x81dae54) at zend_list.c:177
#7  0x811da45 in zend_destroy_rsrc_list (ht=0x8185d64) at zend_list.c:248
#8  0x810ca10 in shutdown_executor () at zend_execute_API.c:190
#9  0x81162d6 in zend_deactivate () at zend.c:595
#10 0x8062c1f in php_request_shutdown (dummy=0x0) at main.c:736
#11 0x8061533 in main (argc=2, argv=0xbffffb04) at cgi_main.c:775
 [2001-09-15 19:15 UTC] ih at fido dot cz 
Result with newest libxml2-2.4.5 is the same.

Program received signal SIGSEGV, Segmentation fault
0x401fa860 in free () from /lib/libc.so.6
(gdb) bt
#0  0x401fa860 in free () from /lib/libc.so.6
#1  0x400efe79 in xmlFreeNodeList (cur=0x81f98e0) at tree.c:2372
#2  0x400efe37 in xmlFreeNodeList (cur=0x81f9898) at tree.c:2364
#3  0x400ee2dc in xmlFreeDoc (cur=0x81f9800) at tree.c:525
#4  0x806f06d in php_free_xml_doc (rsrc=0x81dae74) at php_domxml.c:353
#5  0x811d86a in list_entry_destructor (ptr=0x81dae74) at zend_list.c:177
#6  0x811da55 in zend_destroy_rsrc_list (ht=0x8185d84) at zend_list.c:248
#7  0x810ca20 in shutdown_executor () at zend_execute_API.c:190
#8  0x81162e6 in zend_deactivate () at zend.c:595
#9  0x8062c2f in php_request_shutdown (dummy=0x0) at main.c:736
#10 0x8061543 in main (argc=2, argv=0xbffffb04) at cgi_main.c:775
 [2001-09-17 04:19 UTC] ih at fido dot cz 
Problem is on shutdown and destroy/freeing alocated memory. 
Breakpoint 2, main (argc=2, argv=0xbffffdb4) at cgi_main.c:775
775                     php_request_shutdown((void *) 0);

php_request_shutdown (dummy=0x0) at main.c:711
736             zend_deactivate(TSRMLS_C);

zend_deactivate () at zend.c:587
595             shutdown_executor(TSRMLS_C);

shutdown_executor () at zend_execute_API.c:162
190             zend_destroy_rsrc_list(&EG(regular_list) TSRMLS_CC);

zend_destroy_rsrc_list (ht=0x81798a4) at zend_list.c:235
231     void zend_destroy_rsrc_list(HashTable *ht TSRMLS_DC)
232     {
233             Bucket *p, *q;
234
235             while (1) {
236                     p = ht->pListTail;
237                     if (!p) {
238                             break;
239                     }
240                     q = p->pListLast;
241                     if (q) {
242                             q->pListNext = NULL;
243                     }
244                     ht->pListTail = q;
245
246                     if (ht->pDestructor) {
247                             zend_try {
248                                   ht->pDestructor(p->pData);
249                             } zend_end_try();
250                     }
251                     if (!p->pDataPtr && p->pData) {
252                             pefree(p->pData, ht->persistent);
253                     }
254                     pefree(p, ht->persistent);
255             }
256             pefree(ht->arBuckets, ht->persistent);
257     }


ht = (HashTable *) 0x81798a4
{nTableSize = 8, nTableMask = 7, nNumOfElements = 2,
  nNextFreeElement = 3, pInternalPointer = 0x81ad614, pListHead = 0x81ad614,
  pListTail = 0x81ac7ec, arBuckets = 0x81a8894,
  pDestructor = 0x810cc14 <list_entry_destructor>, persistent = 0 '\000',
  nApplyCount = 0 '\000', bApplyProtection = 1 '\001', inconsistent = 0}

p = (Bucket *) 0x81ac7ec
{h = 2, nKeyLength = 0, pData = 0x81ac844, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x81ad614, pNext = 0x0, pLast = 0x0, arKey = ""}

q = (Bucket)*ht->pListTail->pListLast
{h = 1, nKeyLength = 0, pData = 0x81b09ac, pDataPtr = 0x0,
  pListNext = 0x81ac7ec, pListLast = 0x0, pNext = 0x0, pLast = 0x0, arKey = ""}

print (Bucket)*ht->pListTail->pListLast->pListNext
{h = 2, nKeyLength = 0, pData = 0x81ac844, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x81ad614, pNext = 0x0, pLast = 0x0, arKey = ""}

ht->pDestructor(0x81ac844);

print (Bucket)*p
{h = 2, nKeyLength = 0, pData = 0x81ac844, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x81ad614, pNext = 0x0, pLast = 0x0, arKey = ""}

pefree(p->pData, ht->persistent);

and second cycle

p= (Bucket)*ht->pListTail
$142 = {h = 1, nKeyLength = 0, pData = 0x81b09ac, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x0, pNext = 0x0, pLast = 0x0, arKey = ""}

q = p->pListLast;
ht->pListTail = q; (now 0x0)
ht->pDestructor still point to zend list destructor php_free_xml_doc and
pData = 0x81b09ac are the same.

What's wrong?
 [2001-12-22 12:06 UTC] mfischer@php.net 
Can you try latest CVS? I believe this is fixed.

Feedback.
 [2002-01-12 06:48 UTC] lobbin@php.net 
No feedback. Closing.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 23 17:00:01 2025 UTC