php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12002 SIGSEGV with DOMXML (double free()?)
Submitted: 2001-07-10 05:27 UTC Modified: 2001-08-10 11:09 UTC
From: hulinsky at datasec dot cz Assigned:
Status: Closed Package: DOM XML related
PHP Version: 4.0.6 OS: Debian Linux 2/testing
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hulinsky at datasec dot cz
New email:
PHP Version: OS:

 

 [2001-07-10 05:27 UTC] hulinsky at datasec dot cz
Script too complex to post here (XML edit module). php.ini and apache config - nothing special.

PHP 4.0.6
./configure --prefix=/rscr/apprscr \
                --with-apache=../../APACHE/ORIG/apache_1.3.20 \
                --with-config-file-path=/rscr/apprscr/conf \
                --with-regex=system \
                --enable-debug \
                --enable-track-vars \
                --enable-trans-sid \
                --disable-rpath \
                --enable-session \
                --enable-memory-limit \
                --enable-sysvsem \
                --enable-sysvshm \
                --enable-shmop \
                --enable-ctype \
                --enable-sockets \
                --enable-exif \
                --with-jpeg-dir=shared,/usr \
                --with-xpm-dir=shared,/usr/X11R6 \
                --with-png-dir=shared,/usr \
                --with-ttf=shared,/usr \
                --with-t1lib=shared,/usr \
                --with-mm \
                --with-xml=/usr \ (debian ext/xml/config.m4 patch)
                --with-expat-dir=/usr \
                --with-pcre-regex=/usr \
                --without-pgsql \
                --with-mysql=/usr \
                --with-dom=/usr \
                --with-zlib=/usr \
                --with-ming=/usr \
                --with-iconv=/usr

Apache 1.3.20
./configure --prefix=/rscr/apprscr --with-layout=Apache --disable-module=env --enable-module=setenvif --disable-module=negotiation --enable-module=alias --disable-module=userdir --disable-module=asis --disable-module=include --disable-module=cgi --disable-module=actions --disable-module=imap --disable-module=autoindex --enable-module=dir --activate-module=src/modules/php4/libphp4.a --activate-module=src/modules/gzip/mod_gzip.o --enable-module=rewrite

make EXTRA_CFLAGS=-DDYNAMIC_MODULE_LIMIT=0


ldd httpd
        libpam.so.0 => /lib/libpam.so.0 (0x40020000)
        libdl.so.2 => /lib/libdl.so.2 (0x40028000)
        libexpat.so.0 => /usr/lib/libexpat.so.0 (0x4002c000)
        libmm.so.11 => /usr/lib/libmm.so.11 (0x40049000)
        libpcre.so.3 => /usr/lib/libpcre.so.3 (0x4004e000)
        libmysqlclient.so.10 => /usr/lib/libmysqlclient.so.10 (0x40057000)
        libz.so.1 => /usr/lib/libz.so.1 (0x4008b000)
        libming.so => /usr/lib/libming.so (0x4009b000)
        libxml2.so.2 => /usr/lib/libxml2.so.2 (0x400c2000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4014e000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4017c000)
        libm.so.6 => /lib/libm.so.6 (0x4018d000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x401af000)
        libdb.so.2 => /lib/libdb.so.2 (0x401c4000)
        libc.so.6 => /lib/libc.so.6 (0x401d2000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

libc6          2.2.3-5
libc6-dbg      2.2.3-5
libxml2        2.3.13-1
libxml2-dev    2.3.13-1
libexpat1      1.95.1-5
libexpat1-dev  1.95.1-5
libc6-dev 2.2.3-5

GDB trace:

(gdb) run -X
Starting program: /XX/./httpd -X

Program received signal SIGSEGV, Segmentation fault.
0x4024320b in free () from /lib/libc.so.6
(gdb) bt
#0  0x4024320b in free () from /lib/libc.so.6
#1  0x401124d0 in xmlXPathFreeNodeSet () from /usr/lib/libxml2.so.2
#2  0x40112fc8 in xmlXPathFreeObject () from /usr/lib/libxml2.so.2
#3  0x8085362 in php_free_xpath_object (rsrc=0x86e6ed4) at php_domxml.c:188
#4  0x8118bda in list_entry_destructor (ptr=0x86e6ed4) at zend_list.c:179
#5  0x811722b in zend_hash_apply_deleter (ht=0x81e8150, p=0x86e6d04)
    at zend_hash.c:615
#6  0x81173e8 in zend_hash_graceful_destroy (ht=0x81e8150) at zend_hash.c:666#7  0x8118d27 in zend_destroy_rsrc_list () at zend_list.c:234
#8  0x81090c1 in shutdown_executor () at zend_execute_API.c:179
#9  0x811242c in zend_deactivate () at zend.c:540
#10 0x807a867 in php_request_shutdown (dummy=0x0) at main.c:660
#11 0x8077c77 in php_apache_request_shutdown ()
#12 0x8147c39 in run_cleanups ()
#13 0x81462d5 in ap_clear_pool ()
#14 0x8146357 in ap_destroy_pool ()
#15 0x81462c1 in ap_clear_pool ()
#16 0x8156551 in child_main ()
#17 0x8156b91 in make_child ()
#18 0x8156d0c in startup_children ()
#19 0x815737c in standalone_main ()
#20 0x8157bac in main ()
#21 0x401ef2db in __libc_start_main () from /lib/libc.so.6

or with MALLOC_CHECK_=2

#0  0x401feaf1 in kill () from /lib/libc.so.6
#1  0x401fe7d4 in raise () from /lib/libc.so.6
#2  0x401fff51 in abort () from /lib/libc.so.6
#3  0x402451d0 in malloc_set_state () from /lib/libc.so.6
#4  0x402431fa in free () from /lib/libc.so.6

#5  0x401124d0 in xmlXPathFreeNodeSet () from /usr/lib/libxml2.so.2
#6  0x40112fc8 in xmlXPathFreeObject () from /usr/lib/libxml2.so.2
#7  0x8085362 in php_free_xpath_object (rsrc=0x841bc84) at php_domxml.c:188
#8  0x8118bda in list_entry_destructor (ptr=0x841bc84) at zend_list.c:179
#9  0x811722b in zend_hash_apply_deleter (ht=0x81e8150, p=0x8682fb4)
    at zend_hash.c:615
#10 0x81173e8 in zend_hash_graceful_destroy (ht=0x81e8150) at zend_hash.c:666
#11 0x8118d27 in zend_destroy_rsrc_list () at zend_list.c:234
#12 0x81090c1 in shutdown_executor () at zend_execute_API.c:179
#13 0x811242c in zend_deactivate () at zend.c:540
#14 0x807a867 in php_request_shutdown (dummy=0x0) at main.c:660
#15 0x8077c77 in php_apache_request_shutdown ()
#16 0x8147c39 in run_cleanups ()
#17 0x81462d5 in ap_clear_pool ()
#18 0x8146357 in ap_destroy_pool ()
#19 0x81462c1 in ap_clear_pool ()
#20 0x8156551 in child_main ()
#21 0x8156b91 in make_child ()
#22 0x8156d0c in startup_children ()
#23 0x815737c in standalone_main ()
#24 0x8157bac in main ()
#25 0x401ef2db in __libc_start_main () from /lib/libc.so.6


php-error.log
php_domxml.c(1475) :  Freeing 0x082E7BCC (12 bytes), script=/edit_article_dom.html
Last leak repeated 44 times
free(): invalid pointer 0x860dc38!
free(): invalid pointer 0x89f7498!
free(): invalid pointer 0x887a8b0!
free(): invalid pointer 0x84ae8e8!
php_domxml.c(1475) :  Freeing 0x086A867C (12 bytes), script=/edit_article_dom.html
Last leak repeated 45 times
php_domxml.c(1689) :  Freeing 0x0897C19C (48 bytes), script=/edit_article_dom.html
zend_API.c(208) : Actual location (location was relayed)
Last leak repeated 1 time
php_domxml.c(1700) :  Freeing 0x087712B4 (12 bytes), script=/edit_article_dom.html
Last leak repeated 1 time
zend_API.c(574) :  Freeing 0x0850AE4C (12 bytes), script=/edit_article_dom.html
Last leak repeated 1 time
zend_API.c(544) :  Freeing 0x0850AB1C (12 bytes), script=/edit_article_dom.html
Last leak repeated 1 time
zend_hash.c(198) :  Freeing 0x089698E4 (20 bytes), script=/edit_article_dom.htmlLast leak repeated 3 times
php_domxml.c(1701) :  Freeing 0x0896AAA4 (48 bytes), script=/edit_article_dom.html
zend_API.c(188) : Actual location (location was relayed)
Last leak repeated 1 time
zend_hash.c(287) :  Freeing 0x0850BCDC (47 bytes), script=/edit_article_dom.htmlLast leak repeated 3 times
php_domxml.c(1475) :  Freeing 0x0826A50C (12 bytes), script=/edit_article_dom.html
Last leak repeated 44 times


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-10 06:04 UTC] joey@php.net
Great! Thanks for the report. Would it be possible for you
to provide as short as possible of a reproducing script/xml
file, either through the bug report interface or by providing a hyperlink, or something?
 [2001-08-10 11:09 UTC] alindeman@php.net
no feedback
 [2004-05-06 17:35 UTC] michal at pasternak dot w dot lub dot pl
I have the same bug, somewhere in DOMXML module, I belive, using 4.3.3 and 4.3.6, both on FreeBSD machines.

This bug report should be reopened and reexamined IMO. I will try to provide some simple testcase soon.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 26 04:01:27 2020 UTC