php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27811 Segmentation fault when xml_parse() used
Submitted: 2004-03-31 14:04 UTC Modified: 2004-04-01 13:45 UTC
From: andrei at vinchi dot ru Assigned:
Status: Not a bug Package: *XML functions
PHP Version: 4.3.5 OS: Red Hat 7.2, SlackWare 9.0
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: andrei at vinchi dot ru
New email:
PHP Version: OS:

 

 [2004-03-31 14:04 UTC] andrei at vinchi dot ru
Description:
------------
xml_parse() function is using in script that parse xml data containing some " " strings. At this string it report an error, but after script is die and Apache process crash with notice in error_log: "[notice] child pid 27456 exit signal Segmentation Fault (11)".

Config line: ./configure --prefix=/opt/php --with-apache=/usr/src/apache_1.3.27rusPL30.16 --with-zlib --with-bz2 --enable-bcmath --enable-calendar --with-readline --enable-exif --enable-wddx --enable-dba --with-gdbm --with-dbase --with-system-regex --with-mod_charset --with-pgsql=/usr/local/PostgreSQL --with-mysql=/usr/local/MySQL --enable-safe-mode --enable-track-vars --enable-memory-limit --disable-short-tags --disable-display-source --with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir --with-png-dir --with-xpm-dir --with-debug

gdb:

Program received signal SIGSEGV, Segmentation fault.
normal_updatePosition (enc=0x815edc0,
    ptr=0x821ca78 "ONTENT-DATA-175 CONTENT-DATA-176 CONTENT-DATA-177 CONTENT-DATA-178 CONTENT-DATA-179 CONTENT-DATA-180 CONTENT-DATA-181 CONTENT-DATA-182 CONTENT-DATA-183 CONTENT-DATA-184 CONTENT-DATA-185 CONTENT-DATA-1"...,
    end=0x821ada0 " DESCRIPTION-1 DESCRIPTION-2 DESCRIPTION-3 DESCRIPTION-4 DESCRIPTION-5 DESCRIPTION-6 DESCRIPTION-7 DESCRIPTION-8 DESCRIPTION-9 DESCRIPTION-10 DES"..., pos=0x82144f0)
    at /andrei/php/build/php-4.3.5/ext/xml/expat/xmltok_impl.c:1747
1747        switch (BYTE_TYPE(enc, ptr)) {
(gdb)


Reproduce code:
---------------
1. http://na.vinchi.ru/mkfaultdata.php.txt
This script must be used for creating "bad.dat" file. It contain xml data for parsing by second script that produce crash.
2. http://na.vinchi.ru/xml-crash.php.txt


Expected result:
----------------
The script must output 50 lines like this: "Indexing: news_view.php?id=1". Last number changed from 1 to 50.

Actual result:
--------------
Indexing: news_view.php?id=1
... cuted ...
Indexing: news_view.php?id=19
XML parse error on 121 in 298

After that script and process dies.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-31 14:09 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

I've just tried latest PHP snapshot and I do not see a 
crash. However I do see XML errors after entry #19 
which appear like this: XML parse error on 121 in 905 
 [2004-04-01 01:52 UTC] andrei at vinchi dot ru
I've just tried latest PHP snapshot too and see that the problem still present. In the gdb the same line 1747 of file php4-STABLE-200404010630/ext/xml/expat/xmltok_impl.c produce crash.
 [2004-04-01 02:16 UTC] derick@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Post that backtrace then if you have one...
 [2004-04-01 02:56 UTC] andrei at vinchi dot ru
This is back trace in gdb.

(gdb) bt
#0  normal_updatePosition (enc=0x815f760,
    ptr=0x821d560 "ONTENT-DATA-175 CONTENT-DATA-176 CONTENT-DATA-177 CONTENT-DATA-178 CONTENT-DATA-179 CONTENT-DATA-180 CONTENT-DATA-181 CONTENT-DATA-182 CONTENT-DATA-183 CONTENT-DATA-184 CONTENT-DATA-185 CONTENT-DATA-1"...,
    end=0x821b888 " DESCRIPTION-1 DESCRIPTION-2 DESCRIPTION-3 DESCRIPTION-4 DESCRIPTION-5 DESCRIPTION-6 DESCRIPTION-7 DESCRIPTION-8 DESCRIPTION-9 DESCRIPTION-10 DES"..., pos=0x8214ff8)
    at /andrei/php/build/php4-STABLE-200404010630/ext/xml/expat/xmltok_impl.c:1747
#1  0x08109bd8 in php_XML_GetCurrentLineNumber (parser=0x8214e70)
    at /andrei/php/build/php4-STABLE-200404010630/ext/xml/expat/xmlparse.c:1571
#2  0x081082af in zif_xml_get_current_line_number (ht=1, return_value=0x8213bcc, this_ptr=0x0, return_value_used=1)
    at /andrei/php/build/php4-STABLE-200404010630/ext/xml/xml.c:1431
#3  0x0814f011 in execute (op_array=0x820ef04) at /andrei/php/build/php4-STABLE-200404010630/Zend/zend_execute.c:1626
#4  0x0813ee56 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /andrei/php/build/php4-STABLE-200404010630/Zend/zend.c:889
#5  0x0811d1b2 in php_execute_script (primary_file=0xbffffa80)
    at /andrei/php/build/php4-STABLE-200404010630/main/main.c:1731
#6  0x081570a8 in main (argc=2, argv=0xbffffb24) at /andrei/php/build/php4-STABLE-200404010630/sapi/cli/php_cli.c:822
#7  0x40318507 in __libc_start_main (main=0x8156934 <main>, argc=2, ubp_av=0xbffffb24, init=0x8066b4c <_init>,
    fini=0x81575d0 <_fini>, rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffffb1c) at ../sysdeps/generic/libc-start.c:129
(gdb) frame 3
#3  0x0814f011 in execute (op_array=0x820ef04) at /andrei/php/build/php4-STABLE-200404010630/Zend/zend_execute.c:1626
1626                                                            ((zend_internal_function *) EX(function_state).function)->handler(EX(opline)->extended_value, EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, return_value_used TSRMLS_CC);
 [2004-04-01 03:16 UTC] derick@php.net
Can you add the info of the crash (the few lines above the "bt" command) too?
 [2004-04-01 03:35 UTC] andrei at vinchi dot ru
Here they are:

Program received signal SIGSEGV, Segmentation fault.
normal_updatePosition (enc=0x815f760,
    ptr=0x821d560 "ONTENT-DATA-175 CONTENT-DATA-176 CONTENT-DATA-177 CONTENT-DATA-178 CONTENT-DATA-179 CONTENT-DATA-180 CONTENT-DATA-181 CONTENT-DATA-182 CONTENT-DATA-183 CONTENT-DATA-184 CONTENT-DATA-185 CONTENT-DATA-1"...,
    end=0x821b888 "&nbsp;DESCRIPTION-1&nbsp;DESCRIPTION-2&nbsp;DESCRIPTION-3&nbsp;DESCRIPTION-4&nbsp;DESCRIPTION-5&nbsp;DESCRIPTION-6&nbsp;DESCRIPTION-7&nbsp;DESCRIPTION-8&nbsp;DESCRIPTION-9&nbsp;DESCRIPTION-10&nbsp;DES"..., pos=0x8214ff8)
    at /andrei/php/build/php4-STABLE-200404010630/ext/xml/expat/xmltok_impl.c:1747
1747        switch (BYTE_TYPE(enc, ptr)) {

That's all. May be you need something else?

The CGI version (not only cgi, but apache module too) of PHP supplayed with SlackWare 9.0 has this bug. It can be used for check.
 [2004-04-01 13:45 UTC] iliaa@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

This is the result of a bug inside expat library. To fix 
the problem you need to download latest CVS of libexpat and 
compile your PHP against an the external lib rather then 
the bunbled one. At this time we cannot upgrade our library 
since the latest 'stable' release still has the bug and I 
am not sure about the stability of their CVS release. 
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 20:01:28 2024 UTC