PHP :: Bug #31447 :: PHP segfaults when parsing XML with invalid entity

Bug #31447	PHP segfaults when parsing XML with invalid entity
Submitted:	2005-01-07 23:21 UTC	Modified:	2005-01-09 18:43 UTC
From:	phpbug at ebt dot cjb dot net	Assigned:
Status:	Not a bug	Package:	DOM XML related
PHP Version:	4CVS-2004-01-09	OS:	Red Hat Linux 7.3
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-01-07 23:21 UTC] phpbug at ebt dot cjb dot net

Description:
------------
When the domxml_open_file function is called on a file that contains invalid entity (like &asdf;), PHP segfaults. Replacing the invalid entity with a valid one (like &amp;) does not cause a segfault.

I'm using the DOMXML extension included with the PHP source (./configure --with-dom)

Reproduce code:
---------------
test.xml:
<?xml version="1.0" ?>
<roottag>
	<test testvalue="tom, dick &asdf; harry" />
</roottag>


test.php:
<?php
$dom = domxml_open_file("test.xml");
?>

Expected result:
----------------
Run the test.php file; PHP should return without an error:

# php test.php
#

Actual result:
--------------
# php test.php
Segmentation fault
#

According to gdb:
# gdb php
(gdb) run test.php
Starting program: /usr/local/bin/php test.php

Program received signal SIGSEGV, Segmentation fault.
0x08208fe5 in add_next_index_zval (arg=0x3, value=0x840526c) at /root/installs/php-4.3.10/Zend/zend_API.c:851
851             return zend_hash_next_index_insert(Z_ARRVAL_P(arg), &value, sizeof(zval *), NULL);
(gdb) bt
#0  0x08208fe5 in add_next_index_zval (arg=0x3, value=0x840526c) at /root/installs/php-4.3.10/Zend/zend_API.c:851
#1  0x080906c4 in domxml_error_ext (ctx=0x83f6fd0, msg=0x405f6fdb "%s") at /root/installs/php-4.3.10/ext/domxml/php_domxml.c:1460
#2  0x40546d9d in __xmlRaiseError (schannel=0, channel=0x809047c <domxml_error_ext>, data=0x83f6fd0, ctx=0x83f6fd0, nod=0x0, 
    domain=1, code=26, level=XML_ERR_FATAL, file=0x83ee6a8 "test.xml", line=3, str1=0x8404c92 "asdf", str2=0x0, str3=0x0, int1=0, 
    int2=0, msg=0x405e9bee "Entity '%s' not defined\n") at error.c:610
#3  0x4054a3fb in xmlFatalErrMsgStr (ctxt=0x83f6fd0, error=XML_ERR_UNDECLARED_ENTITY, msg=0x405e9bee "Entity '%s' not defined\n", 
    val=0x8404c92 "asdf") at parser.c:523
#4  0x40553b4e in xmlParseEntityRef__internal_alias (ctxt=0x83f6fd0) at parser.c:5873
#5  0x4054de47 in xmlParseAttValueComplex (ctxt=0x83f6fd0, attlen=0xbfffbe60, normalize=0) at parser.c:2859
#6  0x405557ac in xmlParseAttribute2 (ctxt=0x83f6fd0, pref=0x0, elem=0x8404c83 "test", prefix=0xbfffbe58, value=0xbfffbe5c, 
    len=0xbfffbe60, alloc=0xbfffbe64) at parser.c:7259
#7  0x40555ac5 in xmlParseStartTag2 (ctxt=0x83f6fd0, pref=0xbfffbea4, URI=0xbfffbea8, tlen=0xbfffbeac) at parser.c:7388
#8  0x40556e51 in xmlParseElement__internal_alias (ctxt=0x83f6fd0) at parser.c:7981
#9  0x40556cf2 in xmlParseContent__internal_alias (ctxt=0x83f6fd0) at parser.c:7905
#10 0x40557091 in xmlParseElement__internal_alias (ctxt=0x83f6fd0) at parser.c:8065
#11 0x405582cb in xmlParseDocument__internal_alias (ctxt=0x83f6fd0) at parser.c:8666
#12 0x080996f9 in domxml_document_parser (mode=0, loadtype=1, source=0x83f2524 "test.xml", data=0x0)
    at /root/installs/php-4.3.10/ext/domxml/php_domxml.c:4003
#13 0x08099a73 in zif_xmldocfile (ht=1, return_value=0x83ee644, this_ptr=0x0, return_value_used=1)
    at /root/installs/php-4.3.10/ext/domxml/php_domxml.c:4073
#14 0x0821b2ab in execute (op_array=0x83f2cbc) at /root/installs/php-4.3.10/Zend/zend_execute.c:1642
#15 0x08206b20 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/installs/php-4.3.10/Zend/zend.c:900
#16 0x081cc682 in php_execute_script (primary_file=0xbfffe560) at /root/installs/php-4.3.10/main/main.c:1736
#17 0x08221c5a in main (argc=2, argv=0xbfffe604) at /root/installs/php-4.3.10/sapi/cli/php_cli.c:822
#18 0x406425d9 in __libc_start_main () from /lib/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-07 23:24 UTC] phpbug at ebt dot cjb dot net

Forgot: I believe the expected result should mention an error with the entity, not simply return without an error. However, gracefully displaying an error is better than a segfault.

[2005-01-07 23:31 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2005-01-07 23:48 UTC] phpbug at ebt dot cjb dot net

Same result with the latest snapshot.

[2005-01-08 12:58 UTC] sniper@php.net

I can not reproduce this. What libxml2 version do you have installed..?

[2005-01-08 17:27 UTC] phpbug at ebt dot cjb dot net

My libxml2 is version 2.6.16

I have also realized that the problem is not just entities, it's with any XML error at all. If I incorrectly leave a tag open or a quote or anything that makes DOMXML display an error, PHP segfaults and the backtrace shows the error that should have been displayed.

[2005-01-09 12:28 UTC] rrichards@php.net

I cant reproduce this either. Your backtrace shows that the correct vals are being passed setting up the libxml parser, so cant explain why this is happening unless libxml is somehow corrupting the parser context _private. Can you try running:
$dom = domxml_open_file("test.xml", 0 , $err);
var_dump($err);
and see if it also segfaults.

Are you using libxml rpms from xmlsoft.org or did you compile your own libxml (if self compiled what flags did you configure it with?)

[2005-01-09 17:44 UTC] phpbug at ebt dot cjb dot net

That version results in the same error. Is there a way for me to check for _private corruption?

The RH7.3 RPM version of libxml2 is installed, which is 2.4.19, but I also have version 2.6.16 installed from its source, with no configure flags. (These are in different places). However, PHP is using 2.6.16 according to php_info();

I'd be happy to use the RPM but there is not one maintained for RH7.3

[2005-01-09 17:58 UTC] rrichards@php.net

Something has to be wrong then with either your libxml build or how domxml it being built with it. Try using the rpms built by dag:
http://dag.wieers.com/packages/libxml2/libxml2-2.6.16-1.0.rh7.rf.i386.rpm
http://dag.wieers.com/packages/libxml2/libxml2-devel-2.6.16-1.0.rh7.rf.i386.rpm
http://dag.wieers.com/packages/libxml2/libxml2-python-2.6.16-1.0.rh7.rf.i386.rpm

After install of necessary rpms rebuild php and try the tests again.

[2005-01-09 18:30 UTC] phpbug at ebt dot cjb dot net

Well, that fixed it. I uninstalled (manually removed) libxml2 2.6.16 and ran the RPM update with those packages and all is well. I get "Entity 'asdf' is not defined", which is expected.

Sorry the problem wasn't in PHP, but thanks for all the help.

[2005-01-09 18:43 UTC] chregu@php.net

not a php bug ;)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 18:01:35 2025 UTC