PHP :: Bug #12002 :: SIGSEGV with DOMXML (double free()?)

Bug #12002	SIGSEGV with DOMXML (double free()?)
Submitted:	2001-07-10 05:27 UTC	Modified:	2001-08-10 11:09 UTC
From:	hulinsky at datasec dot cz	Assigned:
Status:	Closed	Package:	DOM XML related
PHP Version:	4.0.6	OS:	Debian Linux 2/testing
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hulinsky at datasec dot cz
New email:
PHP Version:		OS:

New Comment:

[2001-07-10 05:27 UTC] hulinsky at datasec dot cz

Script too complex to post here (XML edit module). php.ini and apache config - nothing special.

PHP 4.0.6
./configure --prefix=/rscr/apprscr \
                --with-apache=../../APACHE/ORIG/apache_1.3.20 \
                --with-config-file-path=/rscr/apprscr/conf \
                --with-regex=system \
                --enable-debug \
                --enable-track-vars \
                --enable-trans-sid \
                --disable-rpath \
                --enable-session \
                --enable-memory-limit \
                --enable-sysvsem \
                --enable-sysvshm \
                --enable-shmop \
                --enable-ctype \
                --enable-sockets \
                --enable-exif \
                --with-jpeg-dir=shared,/usr \
                --with-xpm-dir=shared,/usr/X11R6 \
                --with-png-dir=shared,/usr \
                --with-ttf=shared,/usr \
                --with-t1lib=shared,/usr \
                --with-mm \
                --with-xml=/usr \ (debian ext/xml/config.m4 patch)
                --with-expat-dir=/usr \
                --with-pcre-regex=/usr \
                --without-pgsql \
                --with-mysql=/usr \
                --with-dom=/usr \
                --with-zlib=/usr \
                --with-ming=/usr \
                --with-iconv=/usr

Apache 1.3.20
./configure --prefix=/rscr/apprscr --with-layout=Apache --disable-module=env --enable-module=setenvif --disable-module=negotiation --enable-module=alias --disable-module=userdir --disable-module=asis --disable-module=include --disable-module=cgi --disable-module=actions --disable-module=imap --disable-module=autoindex --enable-module=dir --activate-module=src/modules/php4/libphp4.a --activate-module=src/modules/gzip/mod_gzip.o --enable-module=rewrite

make EXTRA_CFLAGS=-DDYNAMIC_MODULE_LIMIT=0


ldd httpd
        libpam.so.0 => /lib/libpam.so.0 (0x40020000)
        libdl.so.2 => /lib/libdl.so.2 (0x40028000)
        libexpat.so.0 => /usr/lib/libexpat.so.0 (0x4002c000)
        libmm.so.11 => /usr/lib/libmm.so.11 (0x40049000)
        libpcre.so.3 => /usr/lib/libpcre.so.3 (0x4004e000)
        libmysqlclient.so.10 => /usr/lib/libmysqlclient.so.10 (0x40057000)
        libz.so.1 => /usr/lib/libz.so.1 (0x4008b000)
        libming.so => /usr/lib/libming.so (0x4009b000)
        libxml2.so.2 => /usr/lib/libxml2.so.2 (0x400c2000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4014e000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4017c000)
        libm.so.6 => /lib/libm.so.6 (0x4018d000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x401af000)
        libdb.so.2 => /lib/libdb.so.2 (0x401c4000)
        libc.so.6 => /lib/libc.so.6 (0x401d2000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

libc6          2.2.3-5
libc6-dbg      2.2.3-5
libxml2        2.3.13-1
libxml2-dev    2.3.13-1
libexpat1      1.95.1-5
libexpat1-dev  1.95.1-5
libc6-dev 2.2.3-5

GDB trace:

(gdb) run -X
Starting program: /XX/./httpd -X

Program received signal SIGSEGV, Segmentation fault.
0x4024320b in free () from /lib/libc.so.6
(gdb) bt
#0  0x4024320b in free () from /lib/libc.so.6
#1  0x401124d0 in xmlXPathFreeNodeSet () from /usr/lib/libxml2.so.2
#2  0x40112fc8 in xmlXPathFreeObject () from /usr/lib/libxml2.so.2
#3  0x8085362 in php_free_xpath_object (rsrc=0x86e6ed4) at php_domxml.c:188
#4  0x8118bda in list_entry_destructor (ptr=0x86e6ed4) at zend_list.c:179
#5  0x811722b in zend_hash_apply_deleter (ht=0x81e8150, p=0x86e6d04)
    at zend_hash.c:615
#6  0x81173e8 in zend_hash_graceful_destroy (ht=0x81e8150) at zend_hash.c:666#7  0x8118d27 in zend_destroy_rsrc_list () at zend_list.c:234
#8  0x81090c1 in shutdown_executor () at zend_execute_API.c:179
#9  0x811242c in zend_deactivate () at zend.c:540
#10 0x807a867 in php_request_shutdown (dummy=0x0) at main.c:660
#11 0x8077c77 in php_apache_request_shutdown ()
#12 0x8147c39 in run_cleanups ()
#13 0x81462d5 in ap_clear_pool ()
#14 0x8146357 in ap_destroy_pool ()
#15 0x81462c1 in ap_clear_pool ()
#16 0x8156551 in child_main ()
#17 0x8156b91 in make_child ()
#18 0x8156d0c in startup_children ()
#19 0x815737c in standalone_main ()
#20 0x8157bac in main ()
#21 0x401ef2db in __libc_start_main () from /lib/libc.so.6

or with MALLOC_CHECK_=2

#0  0x401feaf1 in kill () from /lib/libc.so.6
#1  0x401fe7d4 in raise () from /lib/libc.so.6
#2  0x401fff51 in abort () from /lib/libc.so.6
#3  0x402451d0 in malloc_set_state () from /lib/libc.so.6
#4  0x402431fa in free () from /lib/libc.so.6

#5  0x401124d0 in xmlXPathFreeNodeSet () from /usr/lib/libxml2.so.2
#6  0x40112fc8 in xmlXPathFreeObject () from /usr/lib/libxml2.so.2
#7  0x8085362 in php_free_xpath_object (rsrc=0x841bc84) at php_domxml.c:188
#8  0x8118bda in list_entry_destructor (ptr=0x841bc84) at zend_list.c:179
#9  0x811722b in zend_hash_apply_deleter (ht=0x81e8150, p=0x8682fb4)
    at zend_hash.c:615
#10 0x81173e8 in zend_hash_graceful_destroy (ht=0x81e8150) at zend_hash.c:666
#11 0x8118d27 in zend_destroy_rsrc_list () at zend_list.c:234
#12 0x81090c1 in shutdown_executor () at zend_execute_API.c:179
#13 0x811242c in zend_deactivate () at zend.c:540
#14 0x807a867 in php_request_shutdown (dummy=0x0) at main.c:660
#15 0x8077c77 in php_apache_request_shutdown ()
#16 0x8147c39 in run_cleanups ()
#17 0x81462d5 in ap_clear_pool ()
#18 0x8146357 in ap_destroy_pool ()
#19 0x81462c1 in ap_clear_pool ()
#20 0x8156551 in child_main ()
#21 0x8156b91 in make_child ()
#22 0x8156d0c in startup_children ()
#23 0x815737c in standalone_main ()
#24 0x8157bac in main ()
#25 0x401ef2db in __libc_start_main () from /lib/libc.so.6


php-error.log
php_domxml.c(1475) :  Freeing 0x082E7BCC (12 bytes), script=/edit_article_dom.html
Last leak repeated 44 times
free(): invalid pointer 0x860dc38!
free(): invalid pointer 0x89f7498!
free(): invalid pointer 0x887a8b0!
free(): invalid pointer 0x84ae8e8!
php_domxml.c(1475) :  Freeing 0x086A867C (12 bytes), script=/edit_article_dom.html
Last leak repeated 45 times
php_domxml.c(1689) :  Freeing 0x0897C19C (48 bytes), script=/edit_article_dom.html
zend_API.c(208) : Actual location (location was relayed)
Last leak repeated 1 time
php_domxml.c(1700) :  Freeing 0x087712B4 (12 bytes), script=/edit_article_dom.html
Last leak repeated 1 time
zend_API.c(574) :  Freeing 0x0850AE4C (12 bytes), script=/edit_article_dom.html
Last leak repeated 1 time
zend_API.c(544) :  Freeing 0x0850AB1C (12 bytes), script=/edit_article_dom.html
Last leak repeated 1 time
zend_hash.c(198) :  Freeing 0x089698E4 (20 bytes), script=/edit_article_dom.htmlLast leak repeated 3 times
php_domxml.c(1701) :  Freeing 0x0896AAA4 (48 bytes), script=/edit_article_dom.html
zend_API.c(188) : Actual location (location was relayed)
Last leak repeated 1 time
zend_hash.c(287) :  Freeing 0x0850BCDC (47 bytes), script=/edit_article_dom.htmlLast leak repeated 3 times
php_domxml.c(1475) :  Freeing 0x0826A50C (12 bytes), script=/edit_article_dom.html
Last leak repeated 44 times

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-07-10 06:04 UTC] joey@php.net

Great! Thanks for the report. Would it be possible for you
to provide as short as possible of a reproducing script/xml
file, either through the bug report interface or by providing a hyperlink, or something?

[2001-08-10 11:09 UTC] alindeman@php.net

no feedback

[2004-05-06 17:35 UTC] michal at pasternak dot w dot lub dot pl

I have the same bug, somewhere in DOMXML module, I belive, using 4.3.3 and 4.3.6, both on FreeBSD machines.

This bug report should be reopened and reexamined IMO. I will try to provide some simple testcase soon.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 18:01:29 2024 UTC