PHP :: Bug #41613 :: xml_get_current_line_number() causes segmentation fault

Bug #41613	xml_get_current_line_number() causes segmentation fault
Submitted:	2007-06-06 18:42 UTC	Modified:	2007-07-08 01:00 UTC
From:	riverfr0zen at elitemail dot org	Assigned:	rrichards (profile)
Status:	No Feedback	Package:	XML related
PHP Version:	4.4.7	OS:	Linux 2.6.15-28-386 UbuntuDappr
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	riverfr0zen at elitemail dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-06-06 18:42 UTC] riverfr0zen at elitemail dot org

Description:
------------
It seems bug # 20442 has crept in again.

Calling xml_get_current_line_number() to report the line number of an xml parsing error causes a segmentation fault.

(Tested on the following feed (which causes a 'not well-formed (invalid token)' error at time of reporting)
http://feeds.feedburner.com/thr/film

The code below is run from the CLI.



Reproduce code:
---------------
				while ($data = fread($feed, 4096)) {
					if (xml_parse($this->parser, $data, feof($feed)) !== 1)
					{
						print xml_error_string(xml_get_error_code($this->parser)) . "\n";
						print xml_get_current_line_number($this->parser) . "\n";
					}
				}


Expected result:
----------------
not well-formed (invalid token)
(the line number)


Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-06-06 19:10 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2007-06-06 19:47 UTC] riverfr0zen at elitemail dot org

Here's the backtrace:

(gdb) bt
#0  0x081c7fdd in normal_updatePosition (enc=0x8394560, ptr=0x8d7a000 <Address 0x8d7a000 out of bounds>,
    end=0x8d67e5d " Technique of the American Commercial.\"</description>\n</item>\n<item>\n<title>'Golden' shines for Disney</title>\n<pubDate>2007-06-06</pubDate>\n<guid isPermaLink=\"true\">http://www.hollywoodreporter.com/h"..., pos=0x8cbe948) at xmltok_impl.c:1747
#1  0x081b7afe in php_XML_GetCurrentLineNumber (parser=0x8cbe7c0)
    at /usr/local/src/php-4.4.7/ext/xml/expat/xmlparse.c:1571
#2  0x081b54c5 in zif_xml_get_current_line_number (ht=1, return_value=0x8d5f0ec, this_ptr=0x0,
    return_value_used=1) at /usr/local/src/php-4.4.7/ext/xml/xml.c:1437
#3  0x082291f2 in execute (op_array=0x8cdab84) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1681
#4  0x08229498 in execute (op_array=0x8cced9c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#5  0x08229498 in execute (op_array=0x8a71d3c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#6  0x08229498 in execute (op_array=0x8a7555c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#7  0x08229498 in execute (op_array=0x8a73204) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#8  0x08229498 in execute (op_array=0x848ec3c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#9  0x08229498 in execute (op_array=0x8842254) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#10 0x08229498 in execute (op_array=0x8843e64) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#11 0x08229498 in execute (op_array=0x8841b44) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#12 0x08229498 in execute (op_array=0x8488c1c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#13 0x08229498 in execute (op_array=0x848859c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#14 0x08212d7d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php-4.4.7/Zend/zend.c:939
#15 0x081d9897 in php_execute_script (primary_file=0xbfc2275c) at /usr/local/src/php-4.4.7/main/main.c:1757
#16 0x082314b4 in main (argc=2, argv=0xbfc22844) at /usr/local/src/php-4.4.7/sapi/cli/php_cli.c:838
(gdb)

[2007-06-06 20:09 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2007-06-06 20:18 UTC] riverfr0zen at elitemail dot org

function startElement(){}
function endElement(){}

$feed = fopen('http://feeds.feedburner.com/thr/film', "r");

if ($feed)
{
	$_parser = xml_parser_create();
	xml_set_element_handler($_parser, "startElement", "endElement"); 
	xml_set_character_data_handler($_parser, "characterData");
	while ($data = fread($feed, 4096)) {
		if (xml_parse($_parser, $data, feof($feed)) !== 1)
		{
			print xml_error_string(xml_get_error_code($_parser)) . "\n";
			print xml_get_current_line_number($_parser) . "\n";
		}
	}
	fclose($feed); 
	xml_parser_free($_parser);
}

[2007-06-06 20:21 UTC] riverfr0zen at elitemail dot org

Note: Commenting out the line 

print xml_get_current_line_number($_parser) . "\n";" 

in the simple script above allows the script to complete execution without a seg fault.

[2007-06-06 23:58 UTC] riverfr0zen at elitemail dot org

ha. of course, i violate the first instruction :) here it is with beginning and ending php tags.

<?php

print "begin\n";
function startElement(){}
function endElement(){}

$feed = fopen('http://feeds.feedburner.com/thr/film', "r");

if ($feed)
{
	$_parser = xml_parser_create();
	xml_set_element_handler($_parser, "startElement", "endElement"); 
	xml_set_character_data_handler($_parser, "characterData");
	while ($data = fread($feed, 4096)) {
		if (xml_parse($_parser, $data, feof($feed)) !== 1)
		{
			print xml_error_string(xml_get_error_code($_parser)) . "\n";
			print xml_get_current_line_number($_parser) . "\n";
		}
	}
	fclose($feed); 
	xml_parser_free($_parser);
}
print "end\n";
?>

------------
if you comment out 

print xml_get_current_line_number($_parser) . "\n";

the script successfully prints out "end". but if it is left there, it never arrives, and gets a segmentation fault instead.

[2007-06-30 14:21 UTC] rrichards@php.net

I cannot reproduce this. Do you have some static data that triggers the segfault?

[2007-07-08 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 11:01:30 2024 UTC