php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #29549 xpath() output makes PHP segfault or run out of memory when used in preg_match
Submitted: 2004-08-06 15:24 UTC Modified: 2004-11-20 01:00 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: r dot korving at xit dot nl Assigned:
Status: No Feedback Package: SimpleXML related
PHP Version: 5.0.0 OS: debian linux 2.4.26 kernel
Private report: No CVE-ID: None
View Developer Edit
 [2004-08-06 15:24 UTC] r dot korving at xit dot nl 
Description:
------------
When I use the output of $xmlobject->xpath() in a preg_match("/whatever pattern/", $xpathoutput) it makes memory usage explode or the whole script segfaults.

The problem can be manually solved by typecasting the $xpathoutput to a string, but nonetheless, a segfault should never ever be desired behaviour. In fact, in one case I actually saw PHP tried to allocate over 1 gigabyte of memory.

Reproduce code:
---------------
#!/usr/bin/php5 
<?
  $xml = simplexml_load_file("test.xml");
  $val = $xml->xpath("/rootelem/testelems");

  for ($i=0; $i < 20; $i++)
  {
    if (preg_match("/abc/", $val[0]))
      echo "Y";
    else
      echo "N";
  }
?>


test.xml:

<rootelem>
  <testelems>this is one</testelems>
  <testelems>this is another one !</testelems>
</rootelem>

Expected result:
----------------
NNNNNNNNNNNNNNNNNNNN

Actual result:
--------------
NSegmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-13 12:34 UTC] chregu@php.net 
I don't know, if it's an Engine or a SimpleXML problem, but here's the backtrace to it

#0  _efree (ptr=0xffffffff) at /opt/cvs/php5.0/Zend/zend_alloc.c:263
#1  0x001452f4 in _zval_ptr_dtor (zval_ptr=0xffffffef) at /opt/cvs/php5.0/Zend/zend_execute_API.c:391
#2  0x001452f4 in _zval_ptr_dtor (zval_ptr=0x1982538) at /opt/cvs/php5.0/Zend/zend_execute_API.c:391
#3  0x001728a0 in zend_do_fcall_common_helper (execute_data=0xbfffeb70, opline=0x2009f7c, op_array=0x19868e0) at /opt/cvs/php5.0/Zend/zend_execute.h:124
#4  0x0016effc in execute (op_array=0x19868e0) at /opt/cvs/php5.0/Zend/zend_execute.c:1400
#5  0x0015103c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/cvs/php5.0/Zend/zend.c:1061
#6  0x00119914 in php_execute_script (primary_file=0xbffff5b0) at /opt/cvs/php5.0/main/main.c:1627
#7  0x0017c548 in main (argc=2, argv=0xbffffaf4) at /opt/cvs/php5.0/sapi/cli/php_cli.c:943
 [2004-08-13 20:21 UTC] rrichards@php.net 
looks like an engine bug. when it parsers the arguments for a function and tries to do its auto string conversion  magic, the zval gets hosed since it uses the zval as both the read and write object for the cast_object call in zend_parse_arg_impl. simple script:

<?php
$xml = new SimpleXMLElement("<test/>");
str_split($xml); // any function requiring string paremeter
var_dump($xml); // $xml is foobar at this point
?>
 [2004-11-12 12:44 UTC] rrichards@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip
 [2004-11-20 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 05:01:30 2024 UTC