PHP :: Bug #41613 :: xml_get_current_line_number() causes segmentation fault

Bug #41613	xml_get_current_line_number() causes segmentation fault
Submitted:	2007-06-06 18:42 UTC	Modified:	2007-07-08 01:00 UTC
From:	riverfr0zen at elitemail dot org	Assigned:	rrichards (profile)
Status:	No Feedback	Package:	XML related
PHP Version:	4.4.7	OS:	Linux 2.6.15-28-386 UbuntuDappr
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	riverfr0zen at elitemail dot org
New email:
PHP Version:		OS:

New Comment:

[2007-06-06 18:42 UTC] riverfr0zen at elitemail dot org

Description:
------------
It seems bug # 20442 has crept in again.

Calling xml_get_current_line_number() to report the line number of an xml parsing error causes a segmentation fault.

(Tested on the following feed (which causes a 'not well-formed (invalid token)' error at time of reporting)
http://feeds.feedburner.com/thr/film

The code below is run from the CLI.



Reproduce code:
---------------
				while ($data = fread($feed, 4096)) {
					if (xml_parse($this->parser, $data, feof($feed)) !== 1)
					{
						print xml_error_string(xml_get_error_code($this->parser)) . "\n";
						print xml_get_current_line_number($this->parser) . "\n";
					}
				}


Expected result:
----------------
not well-formed (invalid token)
(the line number)


Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-06-06 19:10 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2007-06-06 19:47 UTC] riverfr0zen at elitemail dot org

Here's the backtrace:

(gdb) bt
#0  0x081c7fdd in normal_updatePosition (enc=0x8394560, ptr=0x8d7a000 <Address 0x8d7a000 out of bounds>,
    end=0x8d67e5d " Technique of the American Commercial.\"</description>\n</item>\n<item>\n<title>'Golden' shines for Disney</title>\n<pubDate>2007-06-06</pubDate>\n<guid isPermaLink=\"true\">http://www.hollywoodreporter.com/h"..., pos=0x8cbe948) at xmltok_impl.c:1747
#1  0x081b7afe in php_XML_GetCurrentLineNumber (parser=0x8cbe7c0)
    at /usr/local/src/php-4.4.7/ext/xml/expat/xmlparse.c:1571
#2  0x081b54c5 in zif_xml_get_current_line_number (ht=1, return_value=0x8d5f0ec, this_ptr=0x0,
    return_value_used=1) at /usr/local/src/php-4.4.7/ext/xml/xml.c:1437
#3  0x082291f2 in execute (op_array=0x8cdab84) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1681
#4  0x08229498 in execute (op_array=0x8cced9c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#5  0x08229498 in execute (op_array=0x8a71d3c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#6  0x08229498 in execute (op_array=0x8a7555c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#7  0x08229498 in execute (op_array=0x8a73204) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#8  0x08229498 in execute (op_array=0x848ec3c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#9  0x08229498 in execute (op_array=0x8842254) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#10 0x08229498 in execute (op_array=0x8843e64) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#11 0x08229498 in execute (op_array=0x8841b44) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#12 0x08229498 in execute (op_array=0x8488c1c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#13 0x08229498 in execute (op_array=0x848859c) at /usr/local/src/php-4.4.7/Zend/zend_execute.c:1725
#14 0x08212d7d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php-4.4.7/Zend/zend.c:939
#15 0x081d9897 in php_execute_script (primary_file=0xbfc2275c) at /usr/local/src/php-4.4.7/main/main.c:1757
#16 0x082314b4 in main (argc=2, argv=0xbfc22844) at /usr/local/src/php-4.4.7/sapi/cli/php_cli.c:838
(gdb)

[2007-06-06 20:09 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2007-06-06 20:18 UTC] riverfr0zen at elitemail dot org

function startElement(){}
function endElement(){}

$feed = fopen('http://feeds.feedburner.com/thr/film', "r");

if ($feed)
{
	$_parser = xml_parser_create();
	xml_set_element_handler($_parser, "startElement", "endElement"); 
	xml_set_character_data_handler($_parser, "characterData");
	while ($data = fread($feed, 4096)) {
		if (xml_parse($_parser, $data, feof($feed)) !== 1)
		{
			print xml_error_string(xml_get_error_code($_parser)) . "\n";
			print xml_get_current_line_number($_parser) . "\n";
		}
	}
	fclose($feed); 
	xml_parser_free($_parser);
}

[2007-06-06 20:21 UTC] riverfr0zen at elitemail dot org

Note: Commenting out the line 

print xml_get_current_line_number($_parser) . "\n";" 

in the simple script above allows the script to complete execution without a seg fault.

[2007-06-06 23:58 UTC] riverfr0zen at elitemail dot org

ha. of course, i violate the first instruction :) here it is with beginning and ending php tags.

<?php

print "begin\n";
function startElement(){}
function endElement(){}

$feed = fopen('http://feeds.feedburner.com/thr/film', "r");

if ($feed)
{
	$_parser = xml_parser_create();
	xml_set_element_handler($_parser, "startElement", "endElement"); 
	xml_set_character_data_handler($_parser, "characterData");
	while ($data = fread($feed, 4096)) {
		if (xml_parse($_parser, $data, feof($feed)) !== 1)
		{
			print xml_error_string(xml_get_error_code($_parser)) . "\n";
			print xml_get_current_line_number($_parser) . "\n";
		}
	}
	fclose($feed); 
	xml_parser_free($_parser);
}
print "end\n";
?>

------------
if you comment out 

print xml_get_current_line_number($_parser) . "\n";

the script successfully prints out "end". but if it is left there, it never arrives, and gets a segmentation fault instead.

[2007-06-30 14:21 UTC] rrichards@php.net

I cannot reproduce this. Do you have some static data that triggers the segfault?

[2007-07-08 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC