php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49632 xmlrpc_decode result crashes on value assignment
Submitted: 2009-09-22 20:23 UTC Modified: 2009-09-22 21:19 UTC
From: m dot kurzyna at crystalpoint dot pl Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.3.0 OS: Linux x86_64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: m dot kurzyna at crystalpoint dot pl
New email:
PHP Version: OS:

 

 [2009-09-22 20:23 UTC] m dot kurzyna at crystalpoint dot pl 
Description:
------------
On decoding value with xmlrpc_decode() it will hang/crash PHP process when trying to assign result value.

This will work fine:

xmlrpc_decode('...','utf-8');

While this:

$r = xmlrpc_decode('...','utf-8');

Will hang/crash. 

This only happens on x86_64 systems - 32bit works fine.

Relevant part of the backtrace seems to be:

#24 0x00007fffeb297271 in XML_ParseBuffer () from /usr/lib64/libexpat.so.0
#25 0x00007fffeb4c329a in xml_elem_parse_buf () from /usr/lib64/libxmlrpc.so.0
#26 0x00007fffeb4c74e9 in XMLRPC_REQUEST_FromXML () from /usr/lib64/libxmlrpc.so.0
#27 0x00007fffeb6d3523 in decode_request_worker (xml_in=0x7ffff637ee60 "\2", xml_in_len=128, encoding_in=<value optimized out>, method_name_out=0xffffffffffffffff) at /usr/src/debug/php-5.3.0/ext/xmlrpc/xmlrpc-epi-php.c:764
#28 0x00007fffeb6d3630 in zif_xmlrpc_decode (ht=<value optimized out>, return_value=0x86e5e0, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=1, tsrm_ls=0x606ce0)
    at /usr/src/debug/php-5.3.0/ext/xmlrpc/xmlrpc-epi-php.c:821


I will provide full trace if needed.


Reproduce code:
---------------
<?php
    $v = xmlrpc_decode(
'<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <string>1</string>
      </value>
     </param>
  </params>
</methodResponse>','utf-8');
    echo "OK\n";
?>


Expected result:
----------------
OK

Actual result:
--------------
*** glibc detected *** /usr/bin/php: free(): invalid next size (fast): 0x00000000008a7540 ***

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-22 20:32 UTC] jani@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I can not reproduce this. Also make sure you're not loading any zend 
extensions..
 [2009-09-22 20:50 UTC] m dot kurzyna at crystalpoint dot pl 
Unfortunatly i can reproduce it every time even on bare setup:

[root@apache-php53 bugs]# php -m                           
[PHP Modules]                                              
Core                                                       
date                                                       
ereg                                                       
libxml                                                     
mysqlnd                                                    
pcre                                                       
Reflection                                                 
session                                                    
SPL                                                        
standard                                                   
xmlrpc                                                     

[Zend Modules]

[root@apache-php53 bugs]# php xmlrpc_decode.php 
*** glibc detected *** php: free(): invalid next size (fast): 0x000000000079fbd0 ***

And then backtrace follows, see: http://pastebin.com/f5ed2df2d for full output.
 [2009-09-22 21:19 UTC] m dot kurzyna at crystalpoint dot pl 
I've just built current snap (2009.09.22 20:30) and it seems to work fine so it would seem that it's fixed in SVN.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 18:01:29 2024 UTC