php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #24801 xml_call_handler() causes segmentation fault
Submitted: 2003-07-25 03:51 UTC Modified: 2003-07-29 08:37 UTC
From: fujimura at wakhok dot ac dot jp Assigned:
Status: Closed Package: XML related
PHP Version: 5CVS-2003-07-28 (dev) OS: Linux kernel-2.4.21
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fujimura at wakhok dot ac dot jp
New email:
PHP Version: OS:

 

 [2003-07-25 03:51 UTC] fujimura at wakhok dot ac dot jp 
Description:
------------
ext/xml/xml.c:xml_call_handler() causes segmentation fault.

Reproduce code:
---------------
<?php

function startElement() { }

$parser = xml_parser_create();

xml_set_element_handler($parser, "startElement", "endElement");

xml_parse($parser, "<?xml version=\"1.0\"?><root />", true) OR die(xml_error_string(xml_get_error_code($parser)));

xml_parser_free($parser);

?>


Actual result:
--------------
[fujimura@loki public_html]$ gdb php
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) run xml_parse.php
Starting program: /usr/local/bin/php xml_parse.php

Program received signal SIGSEGV, Segmentation fault.
0x081e7e4c in _zval_ptr_dtor (zval_ptr=0xbfffc97c, __zend_filename=0x825e220 "/home/fujimura/php-src/ext/xml/xml.c", __zend_lineno=423)
    at /home/fujimura/php-src/Zend/zend_execute_API.c:342
342             (*zval_ptr)->refcount--;
(gdb) bt
#0  0x081e7e4c in _zval_ptr_dtor (zval_ptr=0xbfffc97c, __zend_filename=0x825e220 "/home/fujimura/php-src/ext/xml/xml.c", __zend_lineno=423)
    at /home/fujimura/php-src/Zend/zend_execute_API.c:342
#1  0x081ab079 in xml_call_handler (parser=0x40436988, handler=0x40436b7c, function_ptr=0x0, argc=2, argv=0xbfffc9b8)
    at /home/fujimura/php-src/ext/xml/xml.c:423
#2  0x081abc7e in _xml_endElementHandler (userData=0x40436988, name=0x830f550 "root") at /home/fujimura/php-src/ext/xml/xml.c:753
#3  0x081ae851 in _end_element_handler (user=0x4042a0cc, name=0x830f410 "root") at /home/fujimura/php-src/ext/xml/compat.c:128
#4  0x402443be in xmlParseExtParsedEnt () from /usr/lib/libxml2.so.2
#5  0x40244db1 in xmlParseChunk () from /usr/lib/libxml2.so.2
#6  0x081aedc0 in php_XML_Parse (parser=0x4042a0cc, data=0x40437200 "<?xml version=\"1.0\"?><root />", data_len=29, is_final=1)
    at /home/fujimura/php-src/ext/xml/compat.c:400
#7  0x081ad357 in zif_xml_parse (ht=3, return_value=0x40436c8c, this_ptr=0x0, return_value_used=1) at /home/fujimura/php-src/ext/xml/xml.c:1321
#8  0x08211156 in execute_internal (execute_data_ptr=0xbfffcdb0, return_value_used=1) at /home/fujimura/php-src/Zend/zend_execute.c:1143
#9  0x4074b276 in xdebug_execute_internal (current_execute_data=0xbfffcdb0, return_value_used=1) at /home/fujimura/xdebug-1.2.0/xdebug.c:782
#10 0x08215917 in zend_do_fcall_common_helper (execute_data=0xbfffcdb0, op_array=0x40435714) at /home/fujimura/php-src/Zend/zend_execute.c:2513
#11 0x08215feb in zend_do_fcall_handler (execute_data=0xbfffcdb0, op_array=0x40435714) at /home/fujimura/php-src/Zend/zend_execute.c:2642
#12 0x082112a8 in execute (op_array=0x40435714) at /home/fujimura/php-src/Zend/zend_execute.c:1192
#13 0x4074afcc in xdebug_execute (op_array=0x40435714) at /home/fujimura/xdebug-1.2.0/xdebug.c:750
#14 0x081f37d0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/fujimura/php-src/Zend/zend.c:1017
#15 0x081b4af8 in php_execute_script (primary_file=0xbffff5f0) at /home/fujimura/php-src/main/main.c:1568
#16 0x0821dec8 in main (argc=2, argv=0xbffff694) at /home/fujimura/php-src/sapi/cli/php_cli.c:910
#17 0x4030bbb4 in __libc_start_main () from /lib/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-27 15:33 UTC] rrichards@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 [2003-07-28 02:40 UTC] fujimura at wakhok dot ac dot jp 
> This bug has been fixed in CVS.
I found another bug.
xml_call_handler() causes...but I think it is different my first report.

reproduce code:
  <?php
  class Handler {
      public function startElement() { }
      public function endElement() { }
  }
  $parser = xml_parser_create();
  $handler = new Handler();
  xml_set_element_handler($parser, array($handler, "startElement"), array($handler, "endElement"));
  xml_parse($parser, "<?xml version=\"1.0\"?><root />", true) OR
      die(xml_error_string(xml_get_error_code($parser)));
  xml_parser_free($parser);
  ?>

actual:
  Segmentation Fault

bt:
[fujimura@loki public_html]$ gdb php
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) run xml_parse.php
Starting program: /usr/local/bin/php xml_parse.php

Program received signal SIGSEGV, Segmentation fault.
0x081f8926 in _zend_is_inconsistent (ht=0x5a5a5a5a, file=0x8278880 "/home/fujimura/php-src/Zend/zend_hash.c", line=940)
    at /home/fujimura/php-src/Zend/zend_hash.c:53
53              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  0x081f8926 in _zend_is_inconsistent (ht=0x5a5a5a5a, file=0x8278880 "/home/fujimura/php-src/Zend/zend_hash.c", line=940)
    at /home/fujimura/php-src/Zend/zend_hash.c:53
#1  0x081fae4d in zend_hash_index_find (ht=0x5a5a5a5a, h=0, pData=0xbfffcc8c) at /home/fujimura/php-src/Zend/zend_hash.c:940
#2  0x081ab3f6 in xml_call_handler (parser=0x404367a8, handler=0x40436eb0, function_ptr=0x0, argc=2, argv=0xbfffccd8)
    at /home/fujimura/php-src/ext/xml/xml.c:415
#3  0x081ac077 in _xml_endElementHandler (userData=0x404367a8, name=0x830ca60 "root") at /home/fujimura/php-src/ext/xml/xml.c:751
#4  0x081aec49 in _end_element_handler (user=0x40436874, name=0x830c9c8 "root") at /home/fujimura/php-src/ext/xml/compat.c:128
#5  0x402443be in xmlParseExtParsedEnt () from /usr/lib/libxml2.so.2
#6  0x40244db1 in xmlParseChunk () from /usr/lib/libxml2.so.2
#7  0x081af1b8 in php_XML_Parse (parser=0x40436874, data=0x40436b3c "<?xml version=\"1.0\"?><root />", data_len=29, is_final=1)
    at /home/fujimura/php-src/ext/xml/compat.c:400
#8  0x081ad750 in zif_xml_parse (ht=3, return_value=0x40436c30, this_ptr=0x0, return_value_used=1) at /home/fujimura/php-src/ext/xml/xml.c:1319
#9  0x08215ec7 in zend_do_fcall_common_helper (execute_data=0xbfffd1e0, op_array=0x40435694) at /home/fujimura/php-src/Zend/zend_execute.c:2511
#10 0x082165ab in zend_do_fcall_handler (execute_data=0xbfffd1e0, op_array=0x40435694) at /home/fujimura/php-src/Zend/zend_execute.c:2644
#11 0x08211870 in execute (op_array=0x40435694) at /home/fujimura/php-src/Zend/zend_execute.c:1192
#12 0x081f3d94 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/fujimura/php-src/Zend/zend.c:1017
#13 0x081b4ef0 in php_execute_script (primary_file=0xbffff5e0) at /home/fujimura/php-src/main/main.c:1568
#14 0x0821e534 in main (argc=2, argv=0xbffff684) at /home/fujimura/php-src/sapi/cli/php_cli.c:910
#15 0x4030bbb4 in __libc_start_main () from /lib/libc.so.6
 [2003-07-29 08:37 UTC] rrichards@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 15:01:56 2024 UTC