|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23890 Segmentation fault if ext/xml is used by OO code
Submitted: 2003-05-30 03:52 UTC Modified: 2003-07-02 15:18 UTC
Avg. Score:4.7 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: per at nobolt dot com Assigned:
Status: Closed Package: XML related
PHP Version: 5CVS-2003-05-30 (dev) OS: Debian GNU/Linux
Private report: No CVE-ID: None
 [2003-05-30 03:52 UTC] per at nobolt dot com
The following script causes the bug to appear:


class Parser {
    var $mParser;
    function __construct() {
        $this->mParser = xml_parser_create();
        xml_set_element_handler($this->mParser, array($this, "StartElementHandler"), array($this, "EndElementHandler"));
    function __destruct() {
    function Parse($data) {
        xml_parse($this->mParser, $data);

    function StartElementHandler($parser, $name, $attribs) {
    function EndElementHandler($parser, $name) {

function StartElementHandler($parser, $name, $attribs) {

function EndElementHandler($parser, $name) {

$rss_data = file_get_contents("", "rb");

// This works fine
print "line 1\n";
$parser = xml_parser_create();
print "line 2\n";
xml_set_element_handler($parser, "StartElementHandler", "EndElementHandler");
print "line 3\n";
xml_parse($parser, $rss_data);
print "line 4\n";

// ...but this code will make it crash, upon Zend exit.
print "line 5\n";
$parser = new Parser();
print "line 6\n";
print "line 7\n";
$parser = NULL;
print "line 8\n";


This is the GDB output:
GNU gdb 5.3-debian
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...
(gdb) run
Starting program: /usr/local/php5/bin/php rss_debug.php
line 1
line 2
line 3
line 4
line 5
line 6
line 7
line 8
Program received signal SIGSEGV, Segmentation fault.
0x0812e914 in _efree (ptr=0x5a5a5a5a, __zend_filename=0x8179080 "/usr/local/src/php-cvs/php5/ext/xml/xml.c", __zend_lineno=183, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /usr/local/src/php-cvs/php5/Zend/zend_alloc.c:253
253             CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) backtrace
#0  0x0812e914 in _efree (ptr=0x5a5a5a5a, __zend_filename=0x8179080 "/usr/local/src/php-cvs/php5/ext/xml/xml.c", __zend_lineno=183, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /usr/local/src/php-cvs/php5/Zend/zend_alloc.c:253
#1  0x080fcc10 in php_xml_free_wrapper (ptr=0x5a5a5a5a) at /usr/local/src/php-cvs/php5/ext/xml/xml.c:183
#2  0x400b7303 in xmlCharEncCloseFunc () from /usr/lib/
#3  0x400d9b75 in xmlFreeParserInputBuffer () from /usr/lib/
#4  0x400bad9d in xmlFreeInputStream () from /usr/lib/
#5  0x400bb6fd in xmlFreeParserCtxt () from /usr/lib/
#6  0x08101036 in XML_ParserFree (parser=0x81f21dc) at /usr/local/src/php-cvs/php5/ext/xml/compat.c:574
#7  0x080fd10e in xml_parser_dtor (rsrc=0x81ef184) at /usr/local/src/php-cvs/php5/ext/xml/xml.c:325
#8  0x0814a943 in list_entry_destructor (ptr=0x81ef184) at /usr/local/src/php-cvs/php5/Zend/zend_list.c:178
#9  0x08148dfb in zend_hash_apply_deleter (ht=0x81ad480, p=0x81f03d4) at /usr/local/src/php-cvs/php5/Zend/zend_hash.c:565
#10 0x08149020 in zend_hash_graceful_reverse_destroy (ht=0x81ad480) at /usr/local/src/php-cvs/php5/Zend/zend_hash.c:631
#11 0x0814aa83 in zend_destroy_rsrc_list (ht=0x81ad480) at /usr/local/src/php-cvs/php5/Zend/zend_list.c:234
#12 0x081385ef in shutdown_executor () at /usr/local/src/php-cvs/php5/Zend/zend_execute_API.c:265
#13 0x08142b38 in zend_deactivate () at /usr/local/src/php-cvs/php5/Zend/zend.c:786
#14 0x0810ae53 in php_request_shutdown (dummy=0x0) at /usr/local/src/php-cvs/php5/main/main.c:1174
#15 0x081617a0 in main (argc=2, argv=0xbffffac4) at /usr/local/src/php-cvs/php5/sapi/cli/php_cli.c:1013


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-02 15:18 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Dec 07 22:03:34 2021 UTC