php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #47287 Accessing non existant body element cause segfault
Submitted: 2009-02-03 03:08 UTC Modified: 2009-02-03 19:00 UTC
From: msiekkinen at gmail dot com Assigned:
Status: Not a bug Package: Tidy (PECL)
PHP Version: 5.2CVS-2009-02-03 (snap) OS: CentOS 5.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: msiekkinen at gmail dot com
New email:
PHP Version: OS:

 

 [2009-02-03 03:08 UTC] msiekkinen at gmail dot com 
Description:
------------
OS

Linux myserver 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

CentOS release 5.2 (Final)

PHP

PHP 5.2.4 (cli) (built: Nov 14 2008 11:28:15)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

Tidy

Tidy support => enabled
libTidy Release => 18 March 2008
Extension Version => 2.0 ($Id: tidy.c,v 1.66.2.8.2.23 2007/05/04 17:11:05
nlopess Exp $)


Calling tidy's body() method when none is present results in a segfault

Reproduce code:
---------------
$text='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN">
<html>
<head><title>Assistant (Legal issues) m/w</title>
</head>
<frameset name="frameset" framespacing="0" border="false"frameborder="0" rows="41,*,25">
<noframes> </noframes>
<frame scrolling=no name="oben" src="/viewjob_header.php?jid=45482">
<frame scrolling=auto name="anzeige" src="/viewjob_main.php?jid=45482">
<frame scrolling=no name="unten" src="/viewjob_footer.php?jid=45482">
</frameset>';

$tidy = new tidy();
$tidyConfig=array('char-encoding'=>'utf8','input-encoding'=>'utf8','output-
bom'=>'false','output-encoding'=>'utf8');

$tidy->parseString(file_get_contents('wtf.html'),$tidyConfig,'utf8');

print "Parsed it at least\n";
$tidy->CleanRepair();
print "Repaired\n";
$body = $tidy->body();
print "This message will not see the light of day";
var_dump($body);

Expected result:
----------------
I would expect it to run through and output *something* in the var_dump(), but it segfaults before it can get that far.

Actual result:
--------------
#0 0x00cd86aa in tidyGetChild () from /usr/local/lib/libtidy-0.99.so.0
#1 0x082d8495 in tidy_add_default_properties (obj=0xb7439358, type=is_node) at /usr/local/src/php-5.2.4/ext/tidy/tidy.c:811
#2 0x082d88ee in php_tidy_create_node (ht=0, return_value=0xb67a947c, return_value_ptr=0x0, this_ptr=0xb692c690, return_value_used=1, node=is_body_node) at /usr/local/src/php-5.2.4/ext/tidy/tidy.c:902
#3 0x082dad5d in zif_tidy_get_body (ht=0, return_value=0xb67a947c, return_value_ptr=0x0, this_ptr=0xb692c690, return_value_used=1) at /usr/local/src/php-5.2.4/ext/tidy/tidy.c:1548
#4 0x08358d8f in zend_do_fcall_common_helper_SPEC (execute_data=0xbfef4af0) at /usr/local/src/php-5.2.4/Zend/zend_vm_execute.h:200
#5 0x083597a5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfef4af0) at /usr/local/src/php-5.2.4/Zend/zend_vm_execute.h:322
#6 0x083589a4 in execute (op_array=0xb7f42bc4) at /usr/local/src/php-5.2.4/Zend/zend_vm_execute.h:92
#7 0x083393c2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-5.2.4/Zend/zend.c:1134
#8 0x082f2bfd in php_execute_script (primary_file=0xbfef6eb0) at /usr/local/src/php-5.2.4/main/main.c:1982
#9 0x0839f299 in main (argc=2, argv=0xbfef6f84) at /usr/local/src/php-5.2.4/sapi/cli/php_cli.c:1140

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-03 19:00 UTC] iliaa@php.net 
Seems to work fine in CVS, I presume $text should be replacing 
file_get_contents() in your example?
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 19:00:02 2025 UTC