PHP :: Bug #42728 :: tidy_get_body segfaults on bad page

Bug #42728	tidy_get_body segfaults on bad page
Submitted:	2007-09-21 14:50 UTC	Modified:	2007-09-23 15:11 UTC
From:	nyos at nyos dot homelinux dot net	Assigned:
Status:	Not a bug	Package:	Tidy (PECL)
PHP Version:	5.2.4	OS:	Kubuntu linux 7.04 Feisty Fawn
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	nyos at nyos dot homelinux dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-09-21 14:50 UTC] nyos at nyos dot homelinux dot net

Description:
------------
Tidy (libtidy, php-tidy) fails on a (syntactically) incorrect page.
This mustn't happen of course.
A segmentation fault might be caused by a buffer overrun, or a wandering pointer, which might be a security issue as well. (However, breaking into a bot using tidy through this bug is very unlikely.)
Tidy's purpose is to correct incorrect pages, so it needs to be error-proof.

versions: ubuntu feisty default install + kubuntu-desktop + up-to date system, however, I'm not sure even if it's a bug in php or in tidy
Package: tidy Version: 20051018-1
Package: libtidy-0.99-0 Version: 20051018-1
Package: php5-tidy Version: 5.2.1-0ubuntu1.4
(this is the newest version in package, but I didn't see anything about this bug, so possibly it's still a bug)

Reproduce code:
---------------
<?
/* // this won't work either
  $file_data='
  <html>
    <frameset >
    </frameset>
  </html>
  ';
*/
  $file_data='
    <frameset >
    </frameset>
  ';

  $t=tidy_parse_string(trim($file_data));
  $t->cleanRepair();

  echo "following line segfaults..\n";
  $body=tidy_get_body($t);
  echo "..or works?\n";
?>

Expected result:
----------------
$body=null, warning, or anything else..

Actual result:
--------------
nyos@falken:~/webmasters/tidybug$ ./tidy.php
following line segfaults..
Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-09-21 16:44 UTC] scottmac@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2007-09-22 04:15 UTC] nyos at nyos dot homelinux dot net

Thanks for your fast reply.
I've compiled 5.2.4 with ./configure --enable-debug --with-tidy 
command line switches. Here's the backtrace.

Core was generated by 
`/home/nyos/webmasters/tidybug/src/php-5.2.4/sapi/cli/php ./tidy.php'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7f7e3d8 in tidyGetChild () from /usr/lib/libtidy-0.99.so.0
(gdb) bt
#0  0xb7f7e3d8 in tidyGetChild () from /usr/lib/libtidy-0.99.so.0
#1  0x082b5f98 in tidy_add_default_properties (obj=0x854bda0, 
type=is_node)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/ext/tidy/tidy.c:811
#2  0x082b64c8 in php_tidy_create_node (ht=1, return_value=0x854b4b0, 
return_value_ptr=0x0,
    this_ptr=0x0, return_value_used=1, node=is_body_node)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/ext/tidy/tidy.c:902
#3  0x082b8e09 in zif_tidy_get_body (ht=1, return_value=0x854b4b0, 
return_value_ptr=0x0,
    this_ptr=0x0, return_value_used=1)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/ext/tidy/tidy.c:1548
#4  0x083469a1 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfb3c5e0)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:200
#5  0x0834c257 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0xbfb3c5e0)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:1681
#6  0x083464f1 in execute (op_array=0x854ade0)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:92
#7  0x08321b41 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3)
    at /home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend.c:1134
#8  0x082cdc05 in php_execute_script (primary_file=0xbfb3e958)
    at /home/nyos/webmasters/tidybug/src/php-5.2.4/main/main.c:1982
#9  0x0839b5a1 in main (argc=2, argv=0xbfb3eac4)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/sapi/cli/php_cli.c:1140
(gdb) frame 6
#6  0x083464f1 in execute (op_array=0x854ade0)
    
at /home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data 
TSRMLS_CC) > 0) {

[2007-09-23 15:11 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

From the backtrace it would seem that the crash is happening in your 
libtidy and not PHP. I've tried to reproduce the crash with both of your 
examples and it works fine here, and no errors are reported by valgrind.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Dec 02 11:00:01 2025 UTC