php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27769 crash (segfault) in php_domxml.c:617
Submitted: 2004-03-30 02:47 UTC Modified: 2004-04-06 13:47 UTC
From: ymettier at libertysurf dot fr Assigned:
Status: Closed Package: DOM XML related
PHP Version: 4.3.5 OS: Solaris 8
Private report: No CVE-ID:
 [2004-03-30 02:47 UTC] ymettier at libertysurf dot fr
Description:
------------
Random Segfault in apache-2.0.48 and php-4.3.5 using domxml functions. This was working with 4.3.0 and was not working at all with 4.3.4. Randomly works with 4.3.5




Reproduce code:
---------------
I cannot give you the code to reproduce the crash (confidentiality), but I can tell you that :
$ grep domxml *php
domxml_open_file
domxml_xmltree
domxml_open_mem

There was a bug with 4.3.4, so I'm falling back to 4.3.0 (not tested versions between 4.3.4 and 4.3.0) for production use.

libxml2 is 2.5.8 here.



Actual result:
--------------
#0  0xfe1cee28 in node_list_wrapper_dtor (node=0x429ba0, destroyref=1) at /tmp/php-4.3.5/ext/domxml/php_domxml.c:617
617                             if (zend_list_find(Z_LVAL_PP(handle), &type)) {
(gdb) p type
$1 = -1
(gdb) p &type
$2 = (int *) 0xffbee988
(gdb) p handle
$3 = (zval **) 0x30ea00
(gdb) bt
#0  0xfe1cee28 in node_list_wrapper_dtor (node=0x429ba0, destroyref=1) at /tmp/php-4.3.5/ext/domxml/php_domxml.c:617
#1  0xfe1cedd4 in node_list_wrapper_dtor (node=0x4719e0, destroyref=1) at /tmp/php-4.3.5/ext/domxml/php_domxml.c:659
#2  0xfe1c3898 in php_free_xml_doc (rsrc=0x3315a0) at /tmp/php-4.3.5/ext/domxml/php_domxml.c:647
#3  0xfe2e0894 in list_entry_destructor (ptr=0x225600) at /tmp/php-4.3.5/Zend/zend_list.c:177
#4  0xfe2df1e8 in zend_hash_apply_deleter (ht=0xfe383b4c, p=0x32ce00) at /tmp/php-4.3.5/Zend/zend_hash.c:608
#5  0xfe2df38c in zend_hash_graceful_reverse_destroy (ht=0xfe383b4c) at /tmp/php-4.3.5/Zend/zend_hash.c:674
#6  0xfe2e0a0c in zend_destroy_rsrc_list (ht=0xfe383b4c) at /tmp/php-4.3.5/Zend/zend_list.c:233
#7  0xfe2cfe40 in shutdown_executor () at /tmp/php-4.3.5/Zend/zend_execute_API.c:213
#8  0xfe2da030 in zend_deactivate () at /tmp/php-4.3.5/Zend/zend.c:670
#9  0xfe2aa440 in php_request_shutdown (dummy=0x0) at /tmp/php-4.3.5/main/main.c:996
#10 0xfe2f5118 in php_apache_request_dtor (r=0x1abf38) at /tmp/php-4.3.5/sapi/apache2handler/sapi_apache2.c:461
#11 0xfe2f57b0 in php_handler (r=0x1abf38) at /tmp/php-4.3.5/sapi/apache2handler/sapi_apache2.c:577
#12 0x4add8 in ap_run_handler (r=0x1abf38) at config.c:194
#13 0x4b3d4 in ap_invoke_handler (r=0x1abf38) at config.c:401
#14 0x38abc in ap_process_request (r=0x1abf38) at http_request.c:288
#15 0x33e90 in ap_process_http_connection (c=0x1a1fe8) at http_core.c:293
#16 0x56374 in ap_run_process_connection (c=0x1a1fe8) at connection.c:85
#17 0x56660 in ap_process_connection (c=0x1a1fe8, csd=0x1a1f10) at connection.c:211
#18 0x496b0 in child_main (child_num_arg=0) at prefork.c:694
#19 0x49830 in make_child (s=0x9d620, slot=0) at prefork.c:788
#20 0x49a80 in perform_idle_server_maintenance (p=0x9acb8) at prefork.c:923
#21 0x49e84 in ap_mpm_run (_pconf=0x0, plog=0x74800, s=0x91000) at prefork.c:1118
#22 0x500b4 in main (argc=3, argv=0xffbef7b4) at main.c:660
(gdb) quit



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-30 03:08 UTC] derick@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try avoid embedding huge scripts into the report.
 [2004-04-05 08:56 UTC] sniper@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 [2004-04-05 08:56 UTC] ymettier at libertysurf dot fr
Here is some code: test.php and test.xml. It does not crash each time I execute it, but crash at least something like 1 time out of 10. Also notice that with shorter lines or fewer xml attributes, it will not crash. Is that a buffer overflow or a memory leak ? Enjoy :)

test.php
========
<html>
<body>
<p>Bug below ?</p>
<?
$xmlstring = preg_replace("/''/","'",file_get_contents("test.xml"));
$tree = domxml_xmltree($xmlstring);
?>
<p>No bug :)</p>
</body>
</html>

test.xml
========
<?xml version="1.0" standalone='yes'?>
<application name='11111111111111111111111' date='2004/04/05 14:27:35' other='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'>
  <object a1='test'
          name='123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678912345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890'
          alias='BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
          a='OK'
          b='' c=''
          d='' e=''
          f='' g=''
          h='' i=''
  />
  <object a2='test'
          name='123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678912345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890'
          alias='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
          a='OK'
          b='' c=''
          d='' e=''
          f='' g=''
          h='' i=''
  />
</application>
 [2004-04-06 13:47 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 08:02:55 2014 UTC