PHP :: Bug #24219 :: Segmentation Fault in Function node_list_wrapper

Bug #24219

Segmentation Fault in Function node_list_wrapper_dtor

Submitted:

2003-06-17 03:00 UTC

Modified:

2003-06-18 08:48 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

wjs at 42virtual dot com

Assigned:

Status:

Closed

Package:

DOM XML related

PHP Version:

4.3.2 patched

OS:

SUSE 8.2

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2003-06-17 03:00 UTC] wjs at 42virtual dot com

Description:
------------
We are getting not steadily reproducable segmentation fault in this function. From one recursive Call to the other it appears the a NULL-Pointer (in node) is somehow casted to 0xffff0000. We suspect that this might be a casting problem between xmlNodePtr and xmlAttr


/*	destroyref is a bool indicating if all registered objects for nodes 
	within the tree should be destroyed */
static inline void node_list_wrapper_dtor(xmlNodePtr node, int destroyref TSRMLS_DC)
{
	while (node != NULL) {
		node_list_wrapper_dtor(node->children, destroyref TSRMLS_CC);
		switch (node->type) {
			/* Skip property freeing for the following types */
			case XML_ATTRIBUTE_DECL:
			case XML_DTD_NODE:
			case XML_ENTITY_DECL:
			case XML_ATTRIBUTE_NODE:
				break;
			default:
				/*	Attribute Nodes contain accessible children
					Call this function with the propert list
				attr_list_wrapper_dtor(node->properties);  */
				node_list_wrapper_dtor((xmlNodePtr) node->properties, destroyref TSRMLS_CC);
		}

		if (destroyref == 1) {
			node_wrapper_free(node TSRMLS_CC);
		} else {
			node_wrapper_dtor(node);
		}

		node = node->next;
	}
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-06-17 03:03 UTC] wjs at 42virtual dot com

The variable node is of tpye xmlNodePtr whereas node->properties is of xmlAttr.

Can this be a big /litte endian problem?

[2003-06-17 03:18 UTC] wjs at 42virtual dot com

Backtrace....

(gdb) bt
#0  0x0807504f in node_list_wrapper_dtor (node=0xffff0000, destroyref=0)
    at /usr/local/src/php-4.3.2/ext/domxml/php_domxml.c:638
#1  0x08075058 in node_list_wrapper_dtor (node=0x826e318, destroyref=0)
    at /usr/local/src/php-4.3.2/ext/domxml/php_domxml.c:638
#2  0x08075058 in node_list_wrapper_dtor (node=0x826db08, destroyref=0)
    at /usr/local/src/php-4.3.2/ext/domxml/php_domxml.c:638
#3  0x08069af2 in php_free_xml_doc (rsrc=0x0)
    at /usr/local/src/php-4.3.2/ext/domxml/php_domxml.c:638
#4  0x0813264e in list_entry_destructor (ptr=0x826c6ac)
    at /usr/local/src/php-4.3.2/Zend/zend_list.c:172
#5  0x08131189 in zend_hash_apply_deleter (ht=0x8180a40, p=0x827bcb4)
    at /usr/local/src/php-4.3.2/Zend/zend_hash.c:598
#6  0x0813124a in zend_hash_graceful_reverse_destroy (ht=0x8180a40)
    at /usr/local/src/php-4.3.2/Zend/zend_hash.c:664
#7  0x081327dc in zend_destroy_rsrc_list (ht=0x8180a40)
    at /usr/local/src/php-4.3.2/Zend/zend_list.c:233
#8  0x08123f9f in shutdown_executor ()
    at /usr/local/src/php-4.3.2/Zend/zend_execute_API.c:213
#9  0x0812c340 in zend_deactivate ()
    at /usr/local/src/php-4.3.2/Zend/zend.c:649
#10 0x08101c10 in php_request_shutdown (dummy=0x0)
    at /usr/local/src/php-4.3.2/main/main.c:985
#11 0x0813ef81 in main (argc=2, argv=0xbffff334)
    at /usr/local/src/php-4.3.2/sapi/cli/php_cli.c:862
#12 0x4011b8ae in __libc_start_main () from /lib/libc.so.6

[2003-06-17 07:08 UTC] rrichards@php.net

can you provide the dump of the document just prior to the crash?

[2003-06-17 10:23 UTC] wjs at 42virtual dot com

This is a dump of the output-document just before the crash:

shell>php root.php
..output deleted...
<h1>6.CX after print</h1><h1>7.CX before endofFunc</h1><h1>2.RT afterCALL XSL </h1><h1>3.Before EOR</h1><h1>.EOR</h1>
Segmentation fault (core dumped)
shell>

[2003-06-17 14:08 UTC] rrichards@php.net

Can you try it with this patch to domxml: http://www.ctindustries.net/patches/domxml20030617.diff.txt

It needs a lot more testing as I wasnt able to use your scripts, so had to hack them apart a bit to somewhat reproduce the issue.

[2003-06-17 19:12 UTC] wjs at 42virtual dot com

The latest fix has been roughly tested and survived about 6000 iterations with our test program.

We will continue testing today CET (daytime) and will give you a feedback by if we find something crashing.

Thanks a lot to rrichards!!!!

[2003-06-18 08:48 UTC] wjs at 42virtual dot com

The bug seems to be resolved via the patch
The segmentation fault could not be reproduced.
Thanks to all for helping us.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon May 13 22:01:31 2024 UTC