php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27821 xml_parse cause segmentation fault when xml_set_object called from class method
Submitted: 2004-04-01 03:05 UTC Modified: 2004-04-07 12:16 UTC
From: michael at elfimov dot com Assigned:
Status: Closed Package: XML related
PHP Version: 5CVS-2004-04-07 OS: *
Private report: No CVE-ID:
 [2004-04-01 03:05 UTC] michael at elfimov dot com
Description:
------------
xml_parse cause segmentation fault when xml_set_object called from class member function (as showed in example below). When xml_set_object called from class constructor or from "parse" class method then things going ok, but when xml_set_object placed in "init" class method then things going wrong.

Reproduce code:
---------------
<?php

class sxml {
    var $handle;

    function start_elem($parser,$name,$attribs) {
	print "$name ";
    
        foreach($attribs as $key => $value) {
            print "$key = $value ";
	}
        print "\n";
    }

    function end_elem()
    {
    }

    function init() {
        $this->handle = xml_parser_create("ISO-8859-1");
        xml_set_object($this->handle, $this);
        xml_set_element_handler($this->handle,'start_elem','end_elem');
        xml_parser_set_option($this->handle,XML_OPTION_CASE_FOLDING,0);
    }

    function release() {
        xml_parser_free($this->handle);
    }

    function parse($source) {
        $this->init();
	xml_parse($this->handle, $source);
        $this->release();
    }

}

$source = '<OBJECT>
<CLIENT_ID>1</CLIENT_ID>
<CLIENT_CAT_ID>3</CLIENT_CAT_ID>
<USER_ID>1</USER_ID>
<GROUP_ID>2</GROUP_ID>
<SESSION_CODE>6f121f896c1db735891d28448b02b978</SESSION_CODE>
</OBJECT>';

$obj = new sxml;
$obj->parse($source);

?>


Expected result:
----------------
OBJECT
CLIENT_ID
CLIENT_CAT_ID
USER_ID
GROUP_ID
SESSION_CODE

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-04-07 05:16 UTC] sniper@php.net
[Switching to Thread 16384 (LWP 16987)]
0x083471aa in zend_call_function (fci=0xbfffd270, fci_cache=0x0) at /usr/src/web/php/php5/Zend/zend_execute_API.c:683
683                             if (Z_OBJ_HT_PP(fci->object_pp)->get_method == NULL) {
(gdb) bt
#0  0x083471aa in zend_call_function (fci=0xbfffd270, fci_cache=0x0)
    at /usr/src/web/php/php5/Zend/zend_execute_API.c:683
#1  0x082f852d in xml_call_handler (parser=0x40e47038, handler=0x40e46fb0, function_ptr=0x0, argc=3, argv=0xbfffd2f0)
    at /usr/src/web/php/php5/ext/xml/xml.c:435
#2  0x082f8f13 in _xml_startElementHandler (userData=0x40e47038, name=0x87d3650 "OBJECT", attributes=0x0)
    at /usr/src/web/php/php5/ext/xml/xml.c:711
#3  0x082fbc19 in _start_element_handler (user=0x40e47104, name=0x87d327b "OBJECT", attributes=0x0)
    at /usr/src/web/php/php5/ext/xml/compat.c:63
#4  0x40baf835 in xmlParseStartTag () from /usr/lib/libxml2.so.2
#5  0x40bb4a8d in xmlParseExtParsedEnt () from /usr/lib/libxml2.so.2
#6  0x40bb54ff in xmlParseChunk () from /usr/lib/libxml2.so.2
#7  0x082fc4af in php_XML_Parse (parser=0x40e47104, 
    data=0x40e46b4c "<OBJECT>\n<CLIENT_ID>1</CLIENT_ID>\n<CLIENT_CAT_ID>3</CLIENT_CAT_ID>\n<USER_ID>1</USER_ID>\n<GROUP_ID>2</GROUP_ID>\n<SESSION_CODE>6f121f896c1db735891d28448b02b978</SESSION_CODE>\n</OBJECT>", data_len=182, is_final=0)
    at /usr/src/web/php/php5/ext/xml/compat.c:441
#8  0x082fa9c9 in zif_xml_parse (ht=2, return_value=0x40e46f6c, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php5/ext/xml/xml.c:1349
#9  0x0837a526 in zend_do_fcall_common_helper (execute_data=0xbfffd5e0, opline=0x40e47ccc, op_array=0x40e466a4)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2699
#10 0x0837ac76 in zend_do_fcall_handler (execute_data=0xbfffd5e0, opline=0x40e47ccc, op_array=0x40e466a4)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2828
#11 0x08376b20 in execute (op_array=0x40e466a4) at /usr/src/web/php/php5/Zend/zend_execute.c:1391
#12 0x0837a6bf in zend_do_fcall_common_helper (execute_data=0xbfffd7d0, opline=0x40e42ca0, op_array=0x40e4266c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2728
#13 0x0837ab68 in zend_do_fcall_by_name_handler (execute_data=0xbfffd7d0, opline=0x40e42ca0, op_array=0x40e4266c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2810
#14 0x08376b20 in execute (op_array=0x40e4266c) at /usr/src/web/php/php5/Zend/zend_execute.c:1391
#15 0x08353c59 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1057
#16 0x0830e874 in php_execute_script (primary_file=0xbffffbd0) at /usr/src/web/php/php5/main/main.c:1630
#17 0x0838edaf in main (argc=2, argv=0xbffffc64) at /usr/src/web/php/php5/sapi/cli/php_cli.c:943

 [2004-04-07 12:16 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 04:01:55 2014 UTC