PHP :: Bug #27821 :: xml_parse cause segmentation fault when xml_set

Bug #27821	xml_parse cause segmentation fault when xml_set_object called from class method
Submitted:	2004-04-01 03:05 UTC	Modified:	2004-04-07 12:16 UTC
From:	michael at elfimov dot com	Assigned:
Status:	Closed	Package:	XML related
PHP Version:	5CVS-2004-04-07	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	michael at elfimov dot com
New email:
PHP Version:		OS:

New Comment:

[2004-04-01 03:05 UTC] michael at elfimov dot com

Description:
------------
xml_parse cause segmentation fault when xml_set_object called from class member function (as showed in example below). When xml_set_object called from class constructor or from "parse" class method then things going ok, but when xml_set_object placed in "init" class method then things going wrong.

Reproduce code:
---------------
<?php

class sxml {
    var $handle;

    function start_elem($parser,$name,$attribs) {
	print "$name ";
    
        foreach($attribs as $key => $value) {
            print "$key = $value ";
	}
        print "\n";
    }

    function end_elem()
    {
    }

    function init() {
        $this->handle = xml_parser_create("ISO-8859-1");
        xml_set_object($this->handle, $this);
        xml_set_element_handler($this->handle,'start_elem','end_elem');
        xml_parser_set_option($this->handle,XML_OPTION_CASE_FOLDING,0);
    }

    function release() {
        xml_parser_free($this->handle);
    }

    function parse($source) {
        $this->init();
	xml_parse($this->handle, $source);
        $this->release();
    }

}

$source = '<OBJECT>
<CLIENT_ID>1</CLIENT_ID>
<CLIENT_CAT_ID>3</CLIENT_CAT_ID>
<USER_ID>1</USER_ID>
<GROUP_ID>2</GROUP_ID>
<SESSION_CODE>6f121f896c1db735891d28448b02b978</SESSION_CODE>
</OBJECT>';

$obj = new sxml;
$obj->parse($source);

?>


Expected result:
----------------
OBJECT
CLIENT_ID
CLIENT_CAT_ID
USER_ID
GROUP_ID
SESSION_CODE

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-04-07 05:16 UTC] sniper@php.net

[Switching to Thread 16384 (LWP 16987)]
0x083471aa in zend_call_function (fci=0xbfffd270, fci_cache=0x0) at /usr/src/web/php/php5/Zend/zend_execute_API.c:683
683                             if (Z_OBJ_HT_PP(fci->object_pp)->get_method == NULL) {
(gdb) bt
#0  0x083471aa in zend_call_function (fci=0xbfffd270, fci_cache=0x0)
    at /usr/src/web/php/php5/Zend/zend_execute_API.c:683
#1  0x082f852d in xml_call_handler (parser=0x40e47038, handler=0x40e46fb0, function_ptr=0x0, argc=3, argv=0xbfffd2f0)
    at /usr/src/web/php/php5/ext/xml/xml.c:435
#2  0x082f8f13 in _xml_startElementHandler (userData=0x40e47038, name=0x87d3650 "OBJECT", attributes=0x0)
    at /usr/src/web/php/php5/ext/xml/xml.c:711
#3  0x082fbc19 in _start_element_handler (user=0x40e47104, name=0x87d327b "OBJECT", attributes=0x0)
    at /usr/src/web/php/php5/ext/xml/compat.c:63
#4  0x40baf835 in xmlParseStartTag () from /usr/lib/libxml2.so.2
#5  0x40bb4a8d in xmlParseExtParsedEnt () from /usr/lib/libxml2.so.2
#6  0x40bb54ff in xmlParseChunk () from /usr/lib/libxml2.so.2
#7  0x082fc4af in php_XML_Parse (parser=0x40e47104, 
    data=0x40e46b4c "<OBJECT>\n<CLIENT_ID>1</CLIENT_ID>\n<CLIENT_CAT_ID>3</CLIENT_CAT_ID>\n<USER_ID>1</USER_ID>\n<GROUP_ID>2</GROUP_ID>\n<SESSION_CODE>6f121f896c1db735891d28448b02b978</SESSION_CODE>\n</OBJECT>", data_len=182, is_final=0)
    at /usr/src/web/php/php5/ext/xml/compat.c:441
#8  0x082fa9c9 in zif_xml_parse (ht=2, return_value=0x40e46f6c, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php5/ext/xml/xml.c:1349
#9  0x0837a526 in zend_do_fcall_common_helper (execute_data=0xbfffd5e0, opline=0x40e47ccc, op_array=0x40e466a4)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2699
#10 0x0837ac76 in zend_do_fcall_handler (execute_data=0xbfffd5e0, opline=0x40e47ccc, op_array=0x40e466a4)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2828
#11 0x08376b20 in execute (op_array=0x40e466a4) at /usr/src/web/php/php5/Zend/zend_execute.c:1391
#12 0x0837a6bf in zend_do_fcall_common_helper (execute_data=0xbfffd7d0, opline=0x40e42ca0, op_array=0x40e4266c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2728
#13 0x0837ab68 in zend_do_fcall_by_name_handler (execute_data=0xbfffd7d0, opline=0x40e42ca0, op_array=0x40e4266c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2810
#14 0x08376b20 in execute (op_array=0x40e4266c) at /usr/src/web/php/php5/Zend/zend_execute.c:1391
#15 0x08353c59 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1057
#16 0x0830e874 in php_execute_script (primary_file=0xbffffbd0) at /usr/src/web/php/php5/main/main.c:1630
#17 0x0838edaf in main (argc=2, argv=0xbffffc64) at /usr/src/web/php/php5/sapi/cli/php_cli.c:943

[2004-04-07 12:16 UTC] rrichards@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Feb 03 18:01:32 2025 UTC