PHP :: Bug #32912 :: Segfault in DOMXpath->query

Bug #32912	Segfault in DOMXpath->query
Submitted:	2005-05-02 14:11 UTC	Modified:	2005-05-03 13:43 UTC
From:	vivers at one dot net	Assigned:
Status:	Not a bug	Package:	DOM XML related
PHP Version:	5.0.4	OS:	SUSE Ent Svr 9 AMD64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	vivers at one dot net
New email:
PHP Version:		OS:

New Comment:

[2005-05-02 14:11 UTC] vivers at one dot net

Description:
------------
Similar to situation reported in Bug #32754.  However, installing libxml2-2.6.16 did not resolve the issue.

Calling query() method of DOMXPath where DOMDocument loaded with a document whose root element contains a namespace declaration causes segfault.

Occurred with php-5.0.4, libxml2-2.6.19 and again with 2.2.16.  Also failed with php5-STABLE-200505021035.

PHP config:
'./configure' \
'--with-apxs=/usr/local/apache/bin/apxs' \
'--with-mysqli=/usr/local/bin/mysql_config' \
'--with-openssl=/usr/local' \
'--with-libxml-dir=/usr/local' \
'--enable-debug' \

Apache/mod_ssl config:
./configure \
"--with-apache=../apache_1.3.33" \
"--with-ssl=../openssl-0.9.7g" \
"--with-mm=../mm-1.3.1" \
"--prefix=/usr/local/apache" \
"--enable-shared=ssl" \
"--disable-rule=SSL_COMPAT" \
"--with-layout=Apache" \
"--enable-rule=SSL_SDBM" \
"--enable-shared=max" \
"--enable-module=ssl" \

Does not occur on Dreamhost server running Linux 2.4.29 and running PHP in CGI mode--PHP-5.0.3 and libxml2-2.6.11.  That same combination also generated the segfault on the SUSE box.


Reproduce code:
---------------
Code from bug #32754:

<?php
$x = new DOMDocument();

// This line gives a segmentation fault.
$x->loadXml( '<template xmlns="http://blah.com"/>');

// ... but if i comment the line above out and uncomment the next line
// there are no issues. It does not matter what xmlns is set to in the line
// above.
//$x->loadXml( '<template/>' );

$xpath = new DOMXPath( $x );
$nodelist = $xpath->query( '/*' );
?>

Works fine with CGI version of php5-STABLE-200505021035.  Segfaults in Apache module, both http and https call.

Expected result:
----------------
Return nothing and no segfault

Actual result:
--------------
#0  0x0000002a95b8c70b in _int_malloc () from /lib64/tls/libc.so.6
#1  0x0000002a95b8df99 in malloc () from /lib64/tls/libc.so.6
#2  0x0000002a97f90819 in xmlMallocLoc__internal_alias (size=Variable "size" is not available.
) at xmlmemory.c:174
#3  0x0000002a97f90962 in xmlMemMalloc__internal_alias (size=Variable "size" is not available.
) at xmlmemory.c:296
#4  0x0000002a98018af6 in xmlNewPatParserContext (pattern=Variable "pattern" is not available.
) at pattern.c:261
#5  0x0000002a9801a226 in xmlPatterncompile__internal_alias (pattern=Variable "pattern" is not available.
) at pattern.c:1876
#6  0x0000002a97fabf98 in xmlXPathTryStreamCompile (ctxt=Variable "ctxt" is not available.
) at xpath.c:11270
#7  0x0000002a97fbac7b in xmlXPathEvalExpr__internal_alias (ctxt=Variable "ctxt" is not available.
) at xpath.c:11452
#8  0x0000002a97fbad77 in xmlXPathEvalExpression__internal_alias (str=Variable "str" is not available.
) at xpath.c:11549
#9  0x0000002a972c312b in zif_dom_xpath_query (ht=1, return_value=0x6e5e00, this_ptr=0x6e20d0, return_value_used=1)
    at /home/xtekadmin/src/php5-STABLE-200505021035/ext/dom/xpath.c:198
#10 0x0000002a9747949f in zend_do_fcall_common_helper (execute_data=0x7fbfffbea0, opline=0x6e7138, op_array=0x6e1ec0)
    at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend_execute.c:2736
#11 0x0000002a97479bc1 in zend_do_fcall_by_name_handler (execute_data=0x7fbfffbea0, opline=0x6e7138, op_array=0x6e1ec0)
    at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend_execute.c:2850
#12 0x0000002a9747550b in execute (op_array=0x6e1ec0) at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend_execute.c:1415
#13 0x0000002a974488de in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/xtekadmin/src/php5-STABLE-200505021035/Zend/zend.c:1076
#14 0x0000002a973f7b45 in php_execute_script (primary_file=0x7fbfffe480)
    at /home/xtekadmin/src/php5-STABLE-200505021035/main/main.c:1638
#15 0x0000002a97482c60 in apache_php_module_main (r=0x56b110, display_source_mode=0)
    at /home/xtekadmin/src/php5-STABLE-200505021035/sapi/apache/sapi_apache.c:54
#16 0x0000002a97483b69 in send_php (r=0x56b110, display_source_mode=0, filename=0x6c7a40 "/usr/local/apache/htdocs/test.php")
    at /home/xtekadmin/src/php5-STABLE-200505021035/sapi/apache/mod_php5.c:622
#17 0x0000002a97483beb in send_parsed_php (r=0x56b110) at /home/xtekadmin/src/php5-STABLE-200505021035/sapi/apache/mod_php5.c:637
#18 0x00000000004105e5 in ap_invoke_handler ()
#19 0x00000000004280f7 in process_request_internal ()
#20 0x000000000042814c in ap_process_request ()
#21 0x000000000041e66e in child_main ()
#22 0x000000000041e81f in make_child ()
#23 0x000000000041e9a0 in startup_children ()
#24 0x000000000041f0cd in standalone_main ()
#25 0x000000000041f8dc in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-05-03 02:55 UTC] vivers at one dot net

"Works fine with CGI version of php5-STABLE-200505021035.  Segfaults in
Apache module, both http and https call." should be "CLI" not "CGI".

Still "CGI" in:
"Does not occur on Dreamhost server running Linux 2.4.29 and running PHP
in CGI mode--PHP-5.0.3 and libxml2-2.6.11.  That same combination also
generated the segfault on the SUSE box."

Hope that doesn't confuse the issue.

[2005-05-03 13:22 UTC] rrichards@php.net

This is a libxml bug causing memory corruption when using namespaces and xpath (or xslt). You are just one of the *lucky* ones who experiences the crash. There's a patch, not yet in cvs, on the libxml mailing list so it should make it into next libxml2 release.
BTW: The 2.6.11 issue is a different libxml bug which was fixed.

[2005-05-03 13:43 UTC] vivers at one dot net

Thanks for the quick response.  I'll dig up the patch.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Dec 04 19:01:32 2024 UTC