php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26384 domxslt->process causes segfault
Submitted: 2003-11-24 08:40 UTC Modified: 2003-11-24 20:58 UTC
From: tony2001 at phpclub dot net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.4 OS: Linux
Private report: No CVE-ID:
 [2003-11-24 08:40 UTC] tony2001 at phpclub dot net
Description:
------------
PHP segfaults when domxslt->process() is called.
It seems to me, that this error is caused by memory corruption, cause I can see, using printf(), in node_wrapper_free(), that wrapper contains some html-code sometimes.

Reproduce code:
---------------
//full code could be grabbed from:
//http://tony2001.phpclub.net/temp/domxslt.tar.gz

$xml = domxml_open_mem(file_get_contents("./area_name.xml"));
$xslt = domxml_xslt_stylesheet_file('./area_list.xsl');
$xslt->process($xml, Array());

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x4033ebdb in zend_hash_index_find (ht=0xffffffff, h=0, pData=0xffffffff) at /root/CVS/php-src_PHP_4_3/Zend/zend_hash.c:960
960             nIndex = h & ht->nTableMask;
(gdb) bt
#0  0x4033ebdb in zend_hash_index_find (ht=0xffffffff, h=0, pData=0xffffffff)
    at /root/CVS/php-src_PHP_4_3/Zend/zend_hash.c:960
#1  0x4024615a in node_wrapper_free (node=0x8180788) at /root/CVS/php-src_PHP_4_3/ext/domxml/php_domxml.c:622
#2  0x40246270 in node_list_wrapper_dtor (node=0x8180788, destroyref=1)
    at /root/CVS/php-src_PHP_4_3/ext/domxml/php_domxml.c:670
#3  0x40238ca3 in php_free_xml_doc (rsrc=0xffffffff) at /root/CVS/php-src_PHP_4_3/ext/domxml/php_domxml.c:653
#4  0x4033f650 in list_entry_destructor (ptr=0x81ab9c4) at /root/CVS/php-src_PHP_4_3/Zend/zend_list.c:177
#5  0x4033e188 in zend_hash_apply_deleter (ht=0x40466ac0, p=0x81ab9c4) at /root/CVS/php-src_PHP_4_3/Zend/zend_hash.c:608
#6  0x4033e22c in zend_hash_graceful_reverse_destroy (ht=0x40466ac0) at /root/CVS/php-src_PHP_4_3/Zend/zend_hash.c:674
#7  0x4033f80f in zend_destroy_rsrc_list (ht=0xffffffff) at /root/CVS/php-src_PHP_4_3/Zend/zend_list.c:233
#8  0x40330e96 in shutdown_executor () at /root/CVS/php-src_PHP_4_3/Zend/zend_execute_API.c:213
#9  0x40338f76 in zend_deactivate () at /root/CVS/php-src_PHP_4_3/Zend/zend.c:665
#10 0x4030c836 in php_request_shutdown (dummy=0x0) at /root/CVS/php-src_PHP_4_3/main/main.c:998
#11 0x4034ba8c in apache_php_module_main (r=0x817c8ec, display_source_mode=0)
    at /root/CVS/php-src_PHP_4_3/sapi/apache/sapi_apache.c:60
#12 0x4034c656 in send_php (r=0x817c8ec, display_source_mode=0, filename=0x0)
    at /root/CVS/php-src_PHP_4_3/sapi/apache/mod_php4.c:620
#13 0x4034c815 in send_parsed_php (r=0x817c8ec) at /root/CVS/php-src_PHP_4_3/sapi/apache/mod_php4.c:635
#14 0x08068eee in ap_invoke_handler ()
#15 0x0807e83e in process_request_internal ()
#16 0x0807ec74 in ap_internal_redirect ()
#17 0x0805e39a in handle_dir ()
#18 0x08068eee in ap_invoke_handler ()
#19 0x0807e83e in process_request_internal ()
#20 0x0807e89b in ap_process_request ()
#21 0x0807535f in child_main ()
#22 0x08075511 in make_child ()
#23 0x08075690 in startup_children ()
#24 0x08075d00 in standalone_main ()
#25 0x0807659a in main ()
#26 0x400d1af7 in __libc_start_main () from /lib/i686/libc.so.6


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-24 20:58 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC