PHP :: Bug #13322 :: Still SIGSEGV with DOMXML / double free()

Bug #13322	Still SIGSEGV with DOMXML / double free()
Submitted:	2001-09-15 17:17 UTC	Modified:	2002-01-12 06:48 UTC
From:	ih at fido dot cz	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.0CVS-2001-09-15	OS:	Debian Linux 2.2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ih at fido dot cz
New email:
PHP Version:		OS:

New Comment:

[2001-09-15 17:17 UTC] ih at fido dot cz

DOMXML still has problem with SIGSEGV. Now, after shutdown, php_free_xml_dom got NULL pointer and xmlFreeDoc double free or what. I hope, that problem is in mine, but joey please look at this.

My script:
--- test.php ---
<?php
$doc = xmldocfile('./test.xml');
?>

--- text.xml ---
<?xml version="1.0" encoding="iso-8859-2"?><root>
  <nothing/>
</root>

And result is:

Program received signal SIGSEGV, Segmentation fault.
0x40208860 in free () from /lib/libc.so.6
(gdb) bt
#0  0x40208860 in free () from /lib/libc.so.6
#1  0x400b0ca9 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#2  0x400b0c67 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#3  0x400af18c in xmlFreeDoc () from /usr/lib/libxml2.so.2
#4  0x808522d in php_free_xml_doc (rsrc=0x8290e24) at 
#5  0x813385a in list_entry_destructor (ptr=0x8290e24) at zend_list.c:177
#6  0x8133a45 in zend_destroy_rsrc_list (ht=0x8202a64) at zend_list.c:248
#7  0x8122a10 in shutdown_executor () at zend_execute_API.c:190
#8  0x812c2d6 in zend_deactivate () at zend.c:595
#9  0x8078def in php_request_shutdown (dummy=0x0) at main.c:736
#10 0x8138294 in apache_php_module_main (r=0x8283de4, display_source_mode=0)
    at sapi_apache.c:96
#11 0x8076446 in send_php ()
#12 0x80764a2 in send_parsed_php ()
#13 0x815fdd9 in ap_invoke_handler ()
#14 0x817475f in process_request_internal ()
#15 0x8174bb6 in ap_internal_redirect ()
#16 0x815236d in mod_gzip_redir1_handler ()
#17 0x8150c02 in mod_gzip_handler ()
#18 0x815fdd9 in ap_invoke_handler ()
#19 0x817475f in process_request_internal ()
#20 0x81747c6 in ap_process_request ()
#21 0x816b6d6 in child_main ()
#22 0x816b891 in make_child ()
#23 0x816ba0c in startup_children ()
#24 0x816c07c in standalone_main ()
#25 0x816c8ac in main ()
#26 0x401b364f in __libc_start_main () from /lib/libc.so.6


I try to debug and:
=php_domxml.c(v1.74):2269 in xmldocfile()
..
docp = xmlParseFile(Z_STRVAL_P(arg));
...
=print *docp
{_private = 0x0, type = XML_DOCUMENT_NODE, name = 0x0,
  children = 0x82b0658, last = 0x82b0658, parent = 0x0, next
= 0x0,
  prev = 0x0, doc = 0x82b05c0, compression = -1, standalone = -1,
  intSubset = 0x0, extSubset = 0x0, oldNs = 0x0, version = 0x82b0618 "1.0",
  encoding = 0x82b06e8 "iso-8859-2", ids = 0x0, refs = 0x0,
  URL = 0x82b0628 "./test.xml", charset = 1}.
=

look's like file was parsed without problem, *return_value look's good. But zend_list_addref(ret) return ret, not return_value. Is it right?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-09-15 17:27 UTC] ih at fido dot cz

ii  libc6          2.2.4-1        GNU C Library: Shared libraries
ii  libc6-dbg      2.2.4-1        GNU C Library: Libraries with
ii  libc6-dev      2.2.4-1        GNU C Library: Development Lib
ii  libxml1        1.8.15-1       GNOME XML library
ii  libxml2        2.4.3-1        GNOME XML library
ii  libxml2-dev    2.4.3-1        Development files for the GNOM
ii  libxmltok1     1.1-6          XML Parser Toolkit, runtime libraries

APACHE:
Server version: Apache/1.3.20 (Unix)
Server built:   Sep 15 2001 22:10:37
Server's Module Magic Number: 19990320:10
Server compiled with....
 -D HAVE_MMAP
 -D HAVE_SHMGET
 -D USE_SHMGET_SCOREBOARD.
 -D USE_MMAP_FILES
 -D USE_SYSVSEM_SERIALIZED_ACCEPT
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D HTTPD_ROOT="/rscr/apprscr2"
 -D SUEXEC_BIN="/rscr/apprscr2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
 -D DEFAULT_LOCKFILE="logs/httpd.lock"
 -D DEFAULT_XFERLOG="logs/access_log"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
 -D ACCESS_CONFIG_FILE="conf/access.conf"
 -D RESOURCE_CONFIG_FILE="conf/srm.conf"
Compiled-in modules:
  http_core.c
  mod_log_config.c
  mod_mime.c
  mod_status.c
  mod_dir.c
  mod_alias.c
  mod_rewrite.c
  mod_access.c
  mod_auth.c
  mod_setenvif.c
  mod_php4.c
  mod_gzip.c
EXTRA_CFLAGS=-DDYNAMIC_MODULE_LIMIT=0 ./configure
                --prefix=/rscr/apprscr2 \
                --with-layout=Apache \
                --disable-module=env \
                --disable-module=negotiation \
                --disable-module=userdir \
                --disable-module=asis \
                --disable-module=include \
                --disable-module=cgi \
                --disable-module=actions \
                --disable-module=imap \
                --disable-module=autoindex \
                --enable-module=dir \
                --enable-module=rewrite \
                --enable-module=alias \
                --enable-module=setenvif \
                --activate-module=src/modules/php4/libphp4.a \
               --activate-module=src/modules/gzip/mod_gzip.o


PHP4_SNAPSHOT: php4-200109151335
/configure --prefix=/rscr/apprscr2 \
                --with-apache=../apache_1.3.20 \
                --with-config-file-path=/rscr/apprscr2/conf \
                --with-pear=/rscr/pear2 \
                --with-regex=system \
                --enable-debug \
                --enable-track-vars \
                --enable-trans-sid \
                --disable-rpath \
                --enable-session \
                --enable-memory-limit \
                --enable-sysvsem \
                --enable-sysvshm \
                --enable-shmop \
                --enable-ctype \
                --enable-sockets \
                --enable-exif \
                --with-jpeg-dir=shared,/usr \
                --with-xpm-dir=shared,/usr/X11R6 \
                --with-png-dir=shared,/usr \
                --with-ttf=shared,/usr \
                --with-t1lib=shared,/usr \
                --with-mm \
                --with-pcre-regex=/usr \
                --without-pgsql \
                --with-mysql=/usr \
                --with-dom=/usr \
                --with-zlib=/usr \
                --with-iconv=/usr

[2001-09-15 17:31 UTC] joey@php.net

I cannot duplicate this with current CVS...are
you absolutely SURE you are using most recent CVS?

[2001-09-15 17:47 UTC] ih at fido dot cz

I've got php4-200109151335.tar.bz from http://snaps.php.net. I can try last one http://snaps.php.net:8000/php4-200109151635.tar.bz2.

[2001-09-15 18:17 UTC] ih at fido dot cz

Problem is still here in last CVS. Standalone php (cgi) same problem.

Program received signal SIGSEGV, Segmentation fault.
0x401fab13 in free () from /lib/libc.so.6
(gdb) bt
#0  0x401fab13 in free () from /lib/libc.so.6
#1  0x401fa873 in free () from /lib/libc.so.6
#2  0x400efca9 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#3  0x400efc67 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#4  0x400ee18c in xmlFreeDoc () from /usr/lib/libxml2.so.2
#5  0x806f05d in php_free_xml_doc (rsrc=0x81dae54) at php_domxml.c:353
#6  0x811d85a in list_entry_destructor (ptr=0x81dae54) at zend_list.c:177
#7  0x811da45 in zend_destroy_rsrc_list (ht=0x8185d64) at zend_list.c:248
#8  0x810ca10 in shutdown_executor () at zend_execute_API.c:190
#9  0x81162d6 in zend_deactivate () at zend.c:595
#10 0x8062c1f in php_request_shutdown (dummy=0x0) at main.c:736
#11 0x8061533 in main (argc=2, argv=0xbffffb04) at cgi_main.c:775

[2001-09-15 19:15 UTC] ih at fido dot cz

Result with newest libxml2-2.4.5 is the same.

Program received signal SIGSEGV, Segmentation fault
0x401fa860 in free () from /lib/libc.so.6
(gdb) bt
#0  0x401fa860 in free () from /lib/libc.so.6
#1  0x400efe79 in xmlFreeNodeList (cur=0x81f98e0) at tree.c:2372
#2  0x400efe37 in xmlFreeNodeList (cur=0x81f9898) at tree.c:2364
#3  0x400ee2dc in xmlFreeDoc (cur=0x81f9800) at tree.c:525
#4  0x806f06d in php_free_xml_doc (rsrc=0x81dae74) at php_domxml.c:353
#5  0x811d86a in list_entry_destructor (ptr=0x81dae74) at zend_list.c:177
#6  0x811da55 in zend_destroy_rsrc_list (ht=0x8185d84) at zend_list.c:248
#7  0x810ca20 in shutdown_executor () at zend_execute_API.c:190
#8  0x81162e6 in zend_deactivate () at zend.c:595
#9  0x8062c2f in php_request_shutdown (dummy=0x0) at main.c:736
#10 0x8061543 in main (argc=2, argv=0xbffffb04) at cgi_main.c:775

[2001-09-17 04:19 UTC] ih at fido dot cz

Problem is on shutdown and destroy/freeing alocated memory. 
Breakpoint 2, main (argc=2, argv=0xbffffdb4) at cgi_main.c:775
775                     php_request_shutdown((void *) 0);

php_request_shutdown (dummy=0x0) at main.c:711
736             zend_deactivate(TSRMLS_C);

zend_deactivate () at zend.c:587
595             shutdown_executor(TSRMLS_C);

shutdown_executor () at zend_execute_API.c:162
190             zend_destroy_rsrc_list(&EG(regular_list) TSRMLS_CC);

zend_destroy_rsrc_list (ht=0x81798a4) at zend_list.c:235
231     void zend_destroy_rsrc_list(HashTable *ht TSRMLS_DC)
232     {
233             Bucket *p, *q;
234
235             while (1) {
236                     p = ht->pListTail;
237                     if (!p) {
238                             break;
239                     }
240                     q = p->pListLast;
241                     if (q) {
242                             q->pListNext = NULL;
243                     }
244                     ht->pListTail = q;
245
246                     if (ht->pDestructor) {
247                             zend_try {
248                                   ht->pDestructor(p->pData);
249                             } zend_end_try();
250                     }
251                     if (!p->pDataPtr && p->pData) {
252                             pefree(p->pData, ht->persistent);
253                     }
254                     pefree(p, ht->persistent);
255             }
256             pefree(ht->arBuckets, ht->persistent);
257     }


ht = (HashTable *) 0x81798a4
{nTableSize = 8, nTableMask = 7, nNumOfElements = 2,
  nNextFreeElement = 3, pInternalPointer = 0x81ad614, pListHead = 0x81ad614,
  pListTail = 0x81ac7ec, arBuckets = 0x81a8894,
  pDestructor = 0x810cc14 <list_entry_destructor>, persistent = 0 '\000',
  nApplyCount = 0 '\000', bApplyProtection = 1 '\001', inconsistent = 0}

p = (Bucket *) 0x81ac7ec
{h = 2, nKeyLength = 0, pData = 0x81ac844, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x81ad614, pNext = 0x0, pLast = 0x0, arKey = ""}

q = (Bucket)*ht->pListTail->pListLast
{h = 1, nKeyLength = 0, pData = 0x81b09ac, pDataPtr = 0x0,
  pListNext = 0x81ac7ec, pListLast = 0x0, pNext = 0x0, pLast = 0x0, arKey = ""}

print (Bucket)*ht->pListTail->pListLast->pListNext
{h = 2, nKeyLength = 0, pData = 0x81ac844, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x81ad614, pNext = 0x0, pLast = 0x0, arKey = ""}

ht->pDestructor(0x81ac844);

print (Bucket)*p
{h = 2, nKeyLength = 0, pData = 0x81ac844, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x81ad614, pNext = 0x0, pLast = 0x0, arKey = ""}

pefree(p->pData, ht->persistent);

and second cycle

p= (Bucket)*ht->pListTail
$142 = {h = 1, nKeyLength = 0, pData = 0x81b09ac, pDataPtr = 0x0,
  pListNext = 0x0, pListLast = 0x0, pNext = 0x0, pLast = 0x0, arKey = ""}

q = p->pListLast;
ht->pListTail = q; (now 0x0)
ht->pDestructor still point to zend list destructor php_free_xml_doc and
pData = 0x81b09ac are the same.

What's wrong?

[2001-12-22 12:06 UTC] mfischer@php.net

Can you try latest CVS? I believe this is fixed.

Feedback.

[2002-01-12 06:48 UTC] lobbin@php.net

No feedback. Closing.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed May 07 08:01:27 2025 UTC