php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49632 xmlrpc_decode result crashes on value assignment
Submitted: 2009-09-22 20:23 UTC Modified: 2009-09-22 21:19 UTC
From: m dot kurzyna at crystalpoint dot pl Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.3.0 OS: Linux x86_64
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: m dot kurzyna at crystalpoint dot pl
New email:
PHP Version: OS:

 

 [2009-09-22 20:23 UTC] m dot kurzyna at crystalpoint dot pl 
Description:
------------
On decoding value with xmlrpc_decode() it will hang/crash PHP process when trying to assign result value.

This will work fine:

xmlrpc_decode('...','utf-8');

While this:

$r = xmlrpc_decode('...','utf-8');

Will hang/crash. 

This only happens on x86_64 systems - 32bit works fine.

Relevant part of the backtrace seems to be:

#24 0x00007fffeb297271 in XML_ParseBuffer () from /usr/lib64/libexpat.so.0
#25 0x00007fffeb4c329a in xml_elem_parse_buf () from /usr/lib64/libxmlrpc.so.0
#26 0x00007fffeb4c74e9 in XMLRPC_REQUEST_FromXML () from /usr/lib64/libxmlrpc.so.0
#27 0x00007fffeb6d3523 in decode_request_worker (xml_in=0x7ffff637ee60 "\2", xml_in_len=128, encoding_in=<value optimized out>, method_name_out=0xffffffffffffffff) at /usr/src/debug/php-5.3.0/ext/xmlrpc/xmlrpc-epi-php.c:764
#28 0x00007fffeb6d3630 in zif_xmlrpc_decode (ht=<value optimized out>, return_value=0x86e5e0, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=1, tsrm_ls=0x606ce0)
    at /usr/src/debug/php-5.3.0/ext/xmlrpc/xmlrpc-epi-php.c:821


I will provide full trace if needed.


Reproduce code:
---------------
<?php
    $v = xmlrpc_decode(
'<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <string>1</string>
      </value>
     </param>
  </params>
</methodResponse>','utf-8');
    echo "OK\n";
?>


Expected result:
----------------
OK

Actual result:
--------------
*** glibc detected *** /usr/bin/php: free(): invalid next size (fast): 0x00000000008a7540 ***

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-22 20:32 UTC] jani@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I can not reproduce this. Also make sure you're not loading any zend 
extensions..
 [2009-09-22 20:50 UTC] m dot kurzyna at crystalpoint dot pl 
Unfortunatly i can reproduce it every time even on bare setup:

[root@apache-php53 bugs]# php -m                           
[PHP Modules]                                              
Core                                                       
date                                                       
ereg                                                       
libxml                                                     
mysqlnd                                                    
pcre                                                       
Reflection                                                 
session                                                    
SPL                                                        
standard                                                   
xmlrpc                                                     

[Zend Modules]

[root@apache-php53 bugs]# php xmlrpc_decode.php 
*** glibc detected *** php: free(): invalid next size (fast): 0x000000000079fbd0 ***

And then backtrace follows, see: http://pastebin.com/f5ed2df2d for full output.
 [2009-09-22 21:19 UTC] m dot kurzyna at crystalpoint dot pl 
I've just built current snap (2009.09.22 20:30) and it seems to work fine so it would seem that it's fixed in SVN.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 14:01:32 2024 UTC