php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27408 xmlrpc_decode segfaults on opteron
Submitted: 2004-02-26 18:30 UTC Modified: 2004-03-08 14:04 UTC
From: gregor_macdougall at yahoo dot com Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 4CVS-2004-02-27 OS: Linux
Private report: No CVE-ID: None
 [2004-02-26 18:30 UTC] gregor_macdougall at yahoo dot com
Description:
------------
The xmlrpc_decode function causes PHP to segfault on each of our 3 dual opteron servers.  These servers are running various versions of linux and all segfault in a similar way.

Our 32-bit x86 servers have no problem with the same code.

This segfault occurs when running the following program via the command line.

Reproduce code:
---------------
<?php
$response = '<?xml version="1.0"?>
<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>';

print xmlrpc_decode($response);
?>


Expected result:
----------------
The program should print "Test".

Actual result:
--------------
#0  0x0000002a9626ccdf in _int_free () from /lib/libc.so.6
#1  0x0000002a9626bb5a in free () from /lib/libc.so.6
#2  0x00000000005c7c2e in convert (
    src=0xa12a84 "Test</string></value></param></params></methodResponse>",
        src_len=4, new_len=0xbfffc78c, from_enc=0x79d11e "UTF-8",
            to_enc=0x79ca28 "iso-8859-1")
    at /home/gregor/php4-STABLE-200402262030/ext/xmlrpc/libxmlrpc/encodings.c:87
#3  0x00000000005c7cfa in utf8_decode (
        s=0xa12a84 "Test</string></value></param></params></methodResponse>",
            len=4, newlen=0xbfffc78c, encoding=0x79ca28 "iso-8859-1")
    at /home/gregor/php4-STABLE-200402262030/ext/xmlrpc/libxmlrpc/encodings.c:117
#4  0x00000000005caa23 in charHandler (userData=0xbfffcbc0,
        s=0xa12a84 "Test</string></value></param></params></methodResponse>",
            len=4)
    at /home/gregor/php4-STABLE-200402262030/ext/xmlrpc/libxmlrpc/xml_element.c:621
#5  0x00000000005a3b42 in doContent (parser=0xa11f30, startTagLevel=0,
        enc=0x912400,
            s=0xa12a84 "Test</string></value></param></params></methodResponse>",
                end=0xa12abb "", nextPtr=0x0)
    at /home/gregor/php4-STABLE-200402262030/ext/xml/expat/xmlparse.c:2299
#6  0x00000000005a23d8 in contentProcessor (parser=0xa11f30,
        start=0xa12a56 "<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>", end=0xa12abb "", endPtr=0x0)
    at /home/gregor/php4-STABLE-200402262030/ext/xml/expat/xmlparse.c:1765
#7  0x00000000005a67a5 in doProlog (parser=0xa11f30, enc=0x912400,
        s=0xa12a56 "<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>", end=0xa12abb "", tok=29,
            next=0xa12a56 "<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>", nextPtr=0x0)
    at /home/gregor/php4-STABLE-200402262030/ext/xml/expat/xmlparse.c:3415
#8  0x00000000005a5eb6 in prologProcessor (parser=0xa11f30,
        s=0xa12a40 "<?xml version=\"1.0\"?>\n<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>",
            end=0xa12abb "", nextPtr=0x0)
    at /home/gregor/php4-STABLE-200402262030/ext/xml/expat/xmlparse.c:3178
#9  0x00000000005a599d in prologInitProcessor (parser=0xa11f30,
        s=0xa12a40 "<?xml version=\"1.0\"?>\n<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>",
            end=0xa12abb "", nextPtr=0x0)
    at /home/gregor/php4-STABLE-200402262030/ext/xml/expat/xmlparse.c:3009
#10 0x00000000005a1af1 in php_XML_ParseBuffer (parser=0xa11f30, len=123,
        isFinal=1)
    at /home/gregor/php4-STABLE-200402262030/ext/xml/expat/xmlparse.c:1447
#11 0x00000000005a1a34 in php_XML_Parse (parser=0xa11f30,
        s=0xa11ea0 "<?xml version=\"1.0\"?>\n<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>", len=123,
            isFinal=1)
    at /home/gregor/php4-STABLE-200402262030/ext/xml/expat/xmlparse.c:1435
#12 0x00000000005cabcc in xml_elem_parse_buf (
        in_buf=0xa11ea0 "<?xml version=\"1.0\"?>\n<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>", len=123,
            options=0xbfffcd20, error=0xbfffccb0)
    at /home/gregor/php4-STABLE-200402262030/ext/xmlrpc/libxmlrpc/xml_element.c:695
#13 0x00000000005cb6ac in XMLRPC_REQUEST_FromXML (
        in_buf=0xa11ea0 "<?xml version=\"1.0\"?>\n<methodResponse><params><param><value><string>Test</string></value></param></params></methodResponse>", len=123,
            in_options=0xbfffcd20)
    at /home/gregor/php4-STABLE-200402262030/ext/xmlrpc/libxmlrpc/xmlrpc.c:756
#14 0x00000000005c3e36 in decode_request_worker (xml_in=0x9fbf30,
        encoding_in=0x0, method_name_out=0x0)
    at /home/gregor/php4-STABLE-200402262030/ext/xmlrpc/xmlrpc-epi-php.c:720
#15 0x00000000005c4083 in zif_xmlrpc_decode (ht=1, return_value=0xa0cbe0,
        this_ptr=0x0, return_value_used=1)
    at /home/gregor/php4-STABLE-200402262030/ext/xmlrpc/xmlrpc-epi-php.c:788
#16 0x000000000062c8b1 in execute (op_array=0xa0d800)
#17 0x00000000006185fa in zend_execute_scripts (type=8, retval=0x0,
        file_count=3) at /home/gregor/php4-STABLE-200402262030/Zend/zend.c:886
#18 0x00000000005dab8d in php_execute_script (primary_file=0xbffff680)
            at /home/gregor/php4-STABLE-200402262030/main/main.c:1731
#19 0x00000000006351e6 in main (argc=2, argv=0xbffff768)
                at /home/gregor/php4-STABLE-200402262030/sapi/cli/php_cli.c:822


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-27 02:54 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

There are some changes in HEAD, so please try it out.
(we can then merge those into the stable branch if they make any difference..)

 [2004-02-27 11:20 UTC] gregor_macdougall at yahoo dot com
A segfault also occurs with the most recent php5 cvs cnapshot.  If you would like the backtrace information for php5 as well, please let me know.
 [2004-03-07 22:52 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

I've tried running the given example using PHP 5 & 4 and 
got an identical response which looks like this: 
xpat reports error code 4 
        description: not well-formed (invalid token) 
        line: 3 
        column: 0 
        byte index: 95 
        total bytes: 0 
 
        data beginning 10 before byte index: lue></par 
am></params></methodResponse> 
 [2004-03-08 02:43 UTC] gregor_macdougall at yahoo dot com
You need to make sure that the XML contained in the 
$response variable is properly formed XML. 
 
The interface for bugs.php.net caused a new line character 
to be placed in the midst of the </param> tag, which is 
not valid and causes the XML parse error you received. 
 
You can fix this by removing the new line in the </param> 
tag, and moving it to before the tag. 
 
Sorry for any confusion caused by this.
 [2004-03-08 12:25 UTC] iliaa@php.net
No crash with valid XML either. Leave bug as feedback until 
you or another user of a 64 bit system can confirm that the 
bug exists or if it is fixed. 
 [2004-03-08 13:21 UTC] gregor_macdougall at yahoo dot com
I can confirm that this bug does occur, and only occurs on 
our x86_64 systems.  Here is a log of me running the test 
code on the latest php5 snapshot (same thing occurs with 
php4 stable). 
 
php5 was built with "./configure --with-xmlrpc". 
 
Script started on Mon Mar  8 10:18:14 2004 
 
gregor@ariel:~ $ cat test.php 
<?php 
$response = '<?xml version="1.0"?> 
<methodResponse><params><param> 
<value><string>Test</string></value> 
</param></params></methodResponse>'; 
 
print xmlrpc_decode($response . "\n"); 
?> 
gregor@ariel:~ $ uname -sm 
Linux i686 
gregor@ariel:~r $ php5-200403081630/sapi/cli/php test.php 
Test 
gregor@ariel:~ $ ssh io 
gregor@io:~ $ uname -sm 
Linux x86_64 
gregor@io:~ $ php5-200403081630/sapi/cli/php test.php 
Segmentation fault 
gregor@io:~ $ logout 
gregor@ariel:~ $ ssh hyperion 
gregor@hyperion $ uname -sm 
Linux x86_64 
gregor@hyperion $ php5-200403081630/sapi/cli/php test.php 
Segmentation fault 
gregor@hyperion $ logout 
gregor@ariel:~ $ ssh pandora 
gregor@pandora:~> uname -sm 
Linux x86_64 
gregor@pandora:~> php5-200403081630/sapi/cli/php test.php 
Segmentation fault 
gregor@pandora:~> logout 
 
Script done on Mon Mar  8 10:20:19 2004 
 
ariel is my local x86 box, io, hyperion, and pandora are 
our 3 opteron servers.  The code runs successfully on the 
x86 box, and segfaults on all 3 opterons.
 [2004-03-08 14:04 UTC] abies@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Mar 29 01:01:27 2020 UTC