PHP :: Bug #33743 :: Segfault with replaceChild and entities

Bug #33743	Segfault with replaceChild and entities
Submitted:	2005-07-18 10:18 UTC	Modified:	2005-07-18 11:49 UTC
From:	aidan@php.net	Assigned:
Status:	Closed	Package:	DOM XML related
PHP Version:	5.0.4	OS:	N/A
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	aidan@php.net
New email:
PHP Version:		OS:

New Comment:

[2005-07-18 10:18 UTC] aidan@php.net

Description:
------------
Segfault using replaceChild.

PHP 4.3.11, LibXML v2.6.9

Reproduce code:
---------------
<?php
// Main document
$xml = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<article>
 <articleinfo>
  <abstract>
   <para>foobar</para>
  </abstract>
 </articleinfo>
</article>';

// Load
$doc = new DomDocument;
$doc->resolveExternals = true;
$doc->loadXml($xml);

// Fragment
$frag = '<?xml version="1.0" encoding="utf-8" ?>';
$frag .= '<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">';
$frag .= '<abstract><para>&deg;</para></abstract>';

// Load
$dom = new DomDocument;
$dom->resolveExternals = true;
$dom->loadXML($frag);

// Locate the node
$xpath = new DOMXpath($doc);
$nodelist = $xpath->query('/article/articleinfo/abstract');
$oldnode = $nodelist->item(0);

// Replace the node
$newnode = $doc->importNode($dom->documentElement, true);
$oldnode->parentNode->replaceChild($newnode, $oldnode);

// Check
echo $doc->saveXml();
?>


Actual result:
--------------
# $ gdb /usr/local/bin/php core.2729
# GNU gdb Red Hat Linux (5.2-2)
# Copyright 2002 Free Software Foundation, Inc.
# GDB is free software, covered by the GNU General Public License, and you are
# welcome to change it and/or distribute copies of it under certain conditions.
# Type "show copying" to see the conditions.
# There is absolutely no warranty for GDB. Type "show warranty" for details.
# This GDB was configured as "i386-redhat-linux"...
# Core was generated by `php dom-replacechild.php'.
# Program terminated with signal 11, Segmentation fault.
# Reading symbols from /lib/libcrypt.so.1...done.
# Loaded symbols for /lib/libcrypt.so.1
# Reading symbols from /usr/lib/libexslt.so.0...done.
# Loaded symbols for /usr/lib/libexslt.so.0
# Reading symbols from /usr/lib/libz.so.1...done.
# Loaded symbols for /usr/lib/libz.so.1
# Reading symbols from /lib/i686/libm.so.6...done.
# Loaded symbols for /lib/i686/libm.so.6
# Reading symbols from /usr/lib/libmysqlclient.so.10...done.
# Loaded symbols for /usr/lib/libmysqlclient.so.10
# Reading symbols from /usr/lib/libbz2.so.1...done.
# Loaded symbols for /usr/lib/libbz2.so.1
# Reading symbols from /lib/libresolv.so.2...done.
# Loaded symbols for /lib/libresolv.so.2
# Reading symbols from /lib/libdl.so.2...done.
# Loaded symbols for /lib/libdl.so.2
# Reading symbols from /lib/libnsl.so.1...done.
# Loaded symbols for /lib/libnsl.so.1
# Reading symbols from /usr/lib/libxslt.so.1...done.
# Loaded symbols for /usr/lib/libxslt.so.1
# Reading symbols from /usr/lib/libxml2.so.2...done.
# Loaded symbols for /usr/lib/libxml2.so.2
# Reading symbols from /lib/i686/libpthread.so.0...done.
# Loaded symbols for /lib/i686/libpthread.so.0
# Reading symbols from /lib/i686/libc.so.6...done.
# Loaded symbols for /lib/i686/libc.so.6
# Reading symbols from /lib/ld-linux.so.2...done.
# Loaded symbols for /lib/ld-linux.so.2
# #0 0x401a60c0 in xmlStrEqual () from /usr/lib/libxml2.so.2
# (gdb) bt
# #0 0x401a60c0 in xmlStrEqual () from /usr/lib/libxml2.so.2
# #1 0x40160043 in xmlSearchNsByHref () from /usr/lib/libxml2.so.2
# #2 0x401602ae in xmlNewReconciliedNs () from /usr/lib/libxml2.so.2
# #3 0x4016048a in xmlReconciliateNs () from /usr/lib/libxml2.so.2
# #4 0x0808ac48 in zif_dom_node_replace_child (ht=2, return_value=0x8906d44, this_ptr=0x859ace4, return_value_used=0)
# at /usr/local/src/php-5.0.4/ext/dom/node.c:1187
# #5 0x081d04fb in zend_do_fcall_common_helper (execute_data=0xbfffd730, opline=0x841f424, op_array=0x841812c)
# at /usr/local/src/php-5.0.4/Zend/zend_execute.c:2727
# #6 0x081b781a in execute (op_array=0x841812c) at /usr/local/src/php-5.0.4/Zend/zend_execute.c:1406
# #7 0x0819b2c5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-5.0.4/Zend/zend.c:1069
# #8 0x0816d7aa in php_execute_script (primary_file=0xbffffad0) at /usr/local/src/php-5.0.4/main/main.c:1632
# #9 0x081d914c in main (argc=2, argv=0xbffffb74) at /usr/local/src/php-5.0.4/sapi/cli/php_cli.c:946
# #10 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
# (gdb) frame 6
# #6 0x081b781a in execute (op_array=0x841812c) at /usr/local/src/php-5.0.4/Zend/zend_execute.c:1406
# 1406 if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
# (gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
# $1 = 0x81db7a9 "replaceChild"
# (gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-07-18 11:49 UTC] aidan@php.net

This can be fixed by updating libxml. (Confirmed with libxml 2.6.17).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 06 07:01:33 2025 UTC