php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32912 Segfault in DOMXpath->query
Submitted: 2005-05-02 14:11 UTC Modified: 2005-05-03 13:43 UTC
From: vivers at one dot net Assigned:
Status: Not a bug Package: DOM XML related
PHP Version: 5.0.4 OS: SUSE Ent Svr 9 AMD64
Private report: No CVE-ID: None
 [2005-05-02 14:11 UTC] vivers at one dot net
Description:
------------
Similar to situation reported in Bug #32754.  However, installing libxml2-2.6.16 did not resolve the issue.

Calling query() method of DOMXPath where DOMDocument loaded with a document whose root element contains a namespace declaration causes segfault.

Occurred with php-5.0.4, libxml2-2.6.19 and again with 2.2.16.  Also failed with php5-STABLE-200505021035.

PHP config:
'./configure' \
'--with-apxs=/usr/local/apache/bin/apxs' \
'--with-mysqli=/usr/local/bin/mysql_config' \
'--with-openssl=/usr/local' \
'--with-libxml-dir=/usr/local' \
'--enable-debug' \

Apache/mod_ssl config:
./configure \
"--with-apache=../apache_1.3.33" \
"--with-ssl=../openssl-0.9.7g" \
"--with-mm=../mm-1.3.1" \
"--prefix=/usr/local/apache" \
"--enable-shared=ssl" \
"--disable-rule=SSL_COMPAT" \
"--with-layout=Apache" \
"--enable-rule=SSL_SDBM" \
"--enable-shared=max" \
"--enable-module=ssl" \

Does not occur on Dreamhost server running Linux 2.4.29 and running PHP in CGI mode--PHP-5.0.3 and libxml2-2.6.11.  That same combination also generated the segfault on the SUSE box.


Reproduce code:
---------------
Code from bug #32754:

<?php
$x = new DOMDocument();

// This line gives a segmentation fault.
$x->loadXml( '<template xmlns="http://blah.com"/>');

// ... but if i comment the line above out and uncomment the next line
// there are no issues. It does not matter what xmlns is set to in the line
// above.
//$x->loadXml( '<template/>' );

$xpath = new DOMXPath( $x );
$nodelist = $xpath->query( '/*' );
?>

Works fine with CGI version of php5-STABLE-200505021035.  Segfaults in Apache module, both http and https call.

Expected result:
----------------
Return nothing and no segfault

Actual result:
--------------
#0  0x0000002a95b8c70b in _int_malloc () from /lib64/tls/libc.so.6
#1  0x0000002a95b8df99 in malloc () from /lib64/tls/libc.so.6
#2  0x0000002a97f90819 in xmlMallocLoc__internal_alias (size=Variable "size" is not available.
) at xmlmemory.c:174
#3  0x0000002a97f90962 in xmlMemMalloc__internal_alias (size=Variable "size" is not available.
) at xmlmemory.c:296
#4  0x0000002a98018af6 in xmlNewPatParserContext (pattern=Variable "pattern" is not available.
) at pattern.c:261
#5  0x0000002a9801a226 in xmlPatterncompile__internal_alias (pattern=Variable "pattern" is not available.
) at pattern.c:1876
#6  0x0000002a97fabf98 in xmlXPathTryStreamCompile (ctxt=Variable "ctxt" is not available.
) at xpath.c:11270
#7  0x0000002a97fbac7b in xmlXPathEvalExpr__internal_alias (ctxt=Variable "ctxt" is not available.
) at xpath.c:11452
#8  0x0000002a97fbad77 in xmlXPathEvalExpression__internal_alias (str=Variable "str" is not available.
) at xpath.c:11549
#9  0x0000002a972c312b in zif_dom_xpath_query (ht=1, return_value=0x6e5e00, this_ptr=0x6e20d0, return_value_used=1)
    at /home/xtekadmin/src/php5-STABLE-200505021035/ext/dom/xpath.c:198
#10 0x0000002a9747949f in zend_do_fcall_common_helper (execute_data=0x7fbfffbea0, opline=0x6e7138, op_array=0x6e1ec0)
    at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend_execute.c:2736
#11 0x0000002a97479bc1 in zend_do_fcall_by_name_handler (execute_data=0x7fbfffbea0, opline=0x6e7138, op_array=0x6e1ec0)
    at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend_execute.c:2850
#12 0x0000002a9747550b in execute (op_array=0x6e1ec0) at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend_execute.c:1415
#13 0x0000002a974488de in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend.c:1076
#14 0x0000002a973f7b45 in php_execute_script (primary_file=0x7fbfffe480)
    at /home/xtekadmin/src/php5-STABLE-200505021035/main/main.c:1638
#15 0x0000002a97482c60 in apache_php_module_main (r=0x56b110, display_source_mode=0)
    at /home/xtekadmin/src/php5-STABLE-200505021035/sapi/apache/sapi_apache.c:54
#16 0x0000002a97483b69 in send_php (r=0x56b110, display_source_mode=0, filename=0x6c7a40 "/usr/local/apache/htdocs/test.php")
    at /home/xtekadmin/src/php5-STABLE-200505021035/sapi/apache/mod_php5.c:622
#17 0x0000002a97483beb in send_parsed_php (r=0x56b110) at /home/xtekadmin/src/php5-STABLE-200505021035/sapi/apache/mod_php5.c:637
#18 0x00000000004105e5 in ap_invoke_handler ()
#19 0x00000000004280f7 in process_request_internal ()
#20 0x000000000042814c in ap_process_request ()
#21 0x000000000041e66e in child_main ()
#22 0x000000000041e81f in make_child ()
#23 0x000000000041e9a0 in startup_children ()
#24 0x000000000041f0cd in standalone_main ()
#25 0x000000000041f8dc in main ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-03 02:55 UTC] vivers at one dot net
"Works fine with CGI version of php5-STABLE-200505021035.  Segfaults in
Apache module, both http and https call." should be "CLI" not "CGI".

Still "CGI" in:
"Does not occur on Dreamhost server running Linux 2.4.29 and running PHP
in CGI mode--PHP-5.0.3 and libxml2-2.6.11.  That same combination also
generated the segfault on the SUSE box."

Hope that doesn't confuse the issue.
 [2005-05-03 13:22 UTC] rrichards@php.net
This is a libxml bug causing memory corruption when using namespaces and xpath (or xslt). You are just one of the *lucky* ones who experiences the crash. There's a patch, not yet in cvs, on the libxml mailing list so it should make it into next libxml2 release.
BTW: The 2.6.11 issue is a different libxml bug which was fixed.
 [2005-05-03 13:43 UTC] vivers at one dot net
Thanks for the quick response.  I'll dig up the patch.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 08:01:29 2024 UTC