php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #29549 xpath() output makes PHP segfault or run out of memory when used in preg_match
Submitted: 2004-08-06 15:24 UTC Modified: 2004-11-20 01:00 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: r dot korving at xit dot nl Assigned:
Status: No Feedback Package: SimpleXML related
PHP Version: 5.0.0 OS: debian linux 2.4.26 kernel
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: r dot korving at xit dot nl
New email:
PHP Version: OS:

 

 [2004-08-06 15:24 UTC] r dot korving at xit dot nl 
Description:
------------
When I use the output of $xmlobject->xpath() in a preg_match("/whatever pattern/", $xpathoutput) it makes memory usage explode or the whole script segfaults.

The problem can be manually solved by typecasting the $xpathoutput to a string, but nonetheless, a segfault should never ever be desired behaviour. In fact, in one case I actually saw PHP tried to allocate over 1 gigabyte of memory.

Reproduce code:
---------------
#!/usr/bin/php5 
<?
  $xml = simplexml_load_file("test.xml");
  $val = $xml->xpath("/rootelem/testelems");

  for ($i=0; $i < 20; $i++)
  {
    if (preg_match("/abc/", $val[0]))
      echo "Y";
    else
      echo "N";
  }
?>


test.xml:

<rootelem>
  <testelems>this is one</testelems>
  <testelems>this is another one !</testelems>
</rootelem>

Expected result:
----------------
NNNNNNNNNNNNNNNNNNNN

Actual result:
--------------
NSegmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-13 12:34 UTC] chregu@php.net 
I don't know, if it's an Engine or a SimpleXML problem, but here's the backtrace to it

#0  _efree (ptr=0xffffffff) at /opt/cvs/php5.0/Zend/zend_alloc.c:263
#1  0x001452f4 in _zval_ptr_dtor (zval_ptr=0xffffffef) at /opt/cvs/php5.0/Zend/zend_execute_API.c:391
#2  0x001452f4 in _zval_ptr_dtor (zval_ptr=0x1982538) at /opt/cvs/php5.0/Zend/zend_execute_API.c:391
#3  0x001728a0 in zend_do_fcall_common_helper (execute_data=0xbfffeb70, opline=0x2009f7c, op_array=0x19868e0) at /opt/cvs/php5.0/Zend/zend_execute.h:124
#4  0x0016effc in execute (op_array=0x19868e0) at /opt/cvs/php5.0/Zend/zend_execute.c:1400
#5  0x0015103c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/cvs/php5.0/Zend/zend.c:1061
#6  0x00119914 in php_execute_script (primary_file=0xbffff5b0) at /opt/cvs/php5.0/main/main.c:1627
#7  0x0017c548 in main (argc=2, argv=0xbffffaf4) at /opt/cvs/php5.0/sapi/cli/php_cli.c:943
 [2004-08-13 20:21 UTC] rrichards@php.net 
looks like an engine bug. when it parsers the arguments for a function and tries to do its auto string conversion  magic, the zval gets hosed since it uses the zval as both the read and write object for the cast_object call in zend_parse_arg_impl. simple script:

<?php
$xml = new SimpleXMLElement("<test/>");
str_split($xml); // any function requiring string paremeter
var_dump($xml); // $xml is foobar at this point
?>
 [2004-11-12 12:44 UTC] rrichards@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip
 [2004-11-20 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 11:01:30 2024 UTC