php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #38813 DOMEntityReference->__construct crashes when called explicitly
Submitted: 2006-09-13 16:35 UTC Modified: 2006-09-14 13:37 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ladislav dot prosek at matfyz dot cz Assigned: rrichards (profile)
Status: Closed Package: DOM XML related
PHP Version: 5.1.6 OS: Windows XP SP2 Pro
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ladislav dot prosek at matfyz dot cz
New email:
PHP Version: OS:

 

 [2006-09-13 16:35 UTC] ladislav dot prosek at matfyz dot cz 
Description:
------------
DOM XML classes contain __construct methods that behave in a quite unexpected way. You can call the constructor explicitly ending up with a broken object (e.g. "Couldn't fetch DOMAttr. Node no longer exists" whenever you access a method/property of the object).

Nevertheless, the constructor of DOMEntityReference, which is the subject of this report, is broken completely.

Reproduce code:
---------------
<?
  $ent = new DOMEntityReference("a");
  $ent->__construct("b");
?>

Expected result:
----------------
You decide :)

Actual result:
--------------
* CRASH *

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-13 16:38 UTC] ladislav dot prosek at matfyz dot cz 
Correcting the summary (crashed -> crashes).
 [2006-09-13 22:11 UTC] judas dot iscariote at gmail dot com 
gdb) bt full
#0  0x00000000004430e5 in php_libxml_decrement_node_ptr (object=0xa75310) at /home/cristian/php-src/ext/libxml/libxml.c:922
        ret_refcount = -1
        obj_node = (php_libxml_node_ptr *) 0x81
#1  0x0000000000441103 in php_libxml_clear_object (object=0xa75310) at /home/cristian/php-src/ext/libxml/libxml.c:161
No locals.
#2  0x0000000000441148 in php_libxml_unregister_node (nodep=0x2af82f48abe0)
    at /home/cristian/php-src/ext/libxml/libxml.c:174
        wrapper = (php_libxml_node_object *) 0xa75310
        nodeptr = (php_libxml_node_ptr *) 0xa75290
#3  0x00000000004433f3 in php_libxml_node_free_resource (node=0x2af82f48abe0)
    at /home/cristian/php-src/ext/libxml/libxml.c:1006
No locals.
#4  0x00000000004a73fe in zim_domentityreference___construct (ht=1, return_value=0x2af82f48ab80, return_value_ptr=0x0,
    this_ptr=0x2af82f4892c0, return_value_used=0) at /home/cristian/php-src/ext/dom/entityreference.c:78
        id = (zval *) 0x2af82f4892c0
        node = (xmlNode *) 0xa75330
        oldnode = (xmlNodePtr) 0x2af82f48abe0
        intern = (dom_object *) 0x2af82f48c110
        name = 0x2af82f48ab30 "b"
        name_len = 1
        name_valid = 0
#5  0x00000000006b479a in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7b683890)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2af82f48a5c0
        original_return_value = (zval **) 0x66ab0d
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x6fa2f53dc00
#6  0x00000000006b5616 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff7b683890)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:322
No locals.
#7  0x00000000006b41e7 in execute (op_array=0x2af82f489f38) at /home/cristian/php-src/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2af82f48a5c0, function_state = {function_symbol_table = 0x0, function = 0x9d0e10,
    reserved = {0x2af82f48a068, 0x7fff7b6838f0, 0x67f53c, 0x0}}, fbc = 0x9d0e10, op_array = 0x2af82f489f38,
  object = 0x2af82f4892c0, Ts = 0x7fff7b683770, CVs = 0x7fff7b683750, original_in_execution = 0 '\0',
  symbol_table = 0x944368, prev_execute_data = 0x0, old_error_reporting = 0x0}
#8  0x000000000068c639 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff7b683b20, reg_save_area = 0x7fff7b683a60}}
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff7b683b20, reg_save_area = 0x7fff7b683a60}}
---Type <return> to continue, or q <return> to quit---
        i = 1
        file_handle = (zend_file_handle *) 0x7fff7b685f20
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0


#9  0x000000000062e1fe in php_execute_script (primary_file=0x7fff7b685f20) at /home/cristian/php-src/main/main.c:1759
        realfile = "/home/cristian/php-src/dom.php\000\000\006\000\000\177\000\000Y;i\000\000\000\000\000&#563;&#65533;*\000\000\004&#65533;*\000\000\006\000\000\177\000\000&#65533;232\220", '\0' <repeats 13 times>, "0ah{\177", '\0' <repeats 26 times>, "&#65533;B/*\000\000\001\000\000\000\177\000\000\000\000\000\000\000\000\000\000str_pad\000\000z\000\000\000\000\000&#563;&#65533;*\000\000\000&#65533;/*\000\000\200Lh{\177\000\000B5C/*\000\000p\a0*\000\000\000&#65533;\000\000\000\000\000&#65533;027\225\000\000\000\000\000,\200i"...
        orig_bailout = (jmp_buf *) 0x7fff7b685da0
        bailout = {{__jmpbuf = {47245434280960, -69214136192287935, 0, 140735263826224, 0, 0, -69214136192279183,
      -69130816930170570}, __mask_was_saved = 0, __saved_mask = {__val = {6788758, 140735263824896, 6728568,
        47244640256323, 2070436912, 0, 2263447764992, 8057064, 47245433541408, 140735263825168, 7408586, 8057064, 492, 0,
        0, 3}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff7b683b40 ""
        retval = 0
#10 0x0000000000711a7d in main (argc=2, argv=0x7fff7b686138) at /home/cristian/php-src/sapi/cli/php_cli.c:1102
        orig_bailout = (jmp_buf *) 0x0
        bailout = {{__jmpbuf = {47245434280960, -69214136192301567, 0, 140735263826224, 0, 0, -69214136192287887,
      -69130816930977452}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 140735263825552, 0, 0, 0, 0, 1706748291,
        47245434283584, 47245434285408, 281474976710656, 0, 0, 0, 0}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff7b686eff "dom.php",
  opened_path = 0x2af82f489ed0 'Z' <repeats 31 times>, "\204&#65533;217*", handle = {fd = 10965648, fp = 0xa75290, stream = {
      handle = 0xa75290, reader = 0x6a6208 <zend_stream_stdio_reader>, closer = 0x6a6234 <zend_stream_stdio_closer>,
      fteller = 0x6a625e <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff7b686eff "dom.php"
        arg_excp = (char **) 0x7fff7b686140
        script_file = 0x7fff7b686eff "dom.php"
        interactive = 0
  module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
 [2006-09-14 13:37 UTC] rrichards@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jan 31 15:01:30 2025 UTC