|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32245 xml_parser_free() in a function assigned to the xml parser gives a segfault
Submitted: 2005-03-09 08:07 UTC Modified: 2005-04-28 14:21 UTC
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: MageOfChrisz at Gmail dot com Assigned:
Status: Closed Package: XML related
PHP Version: 5CVS-2005-03-09 OS: Linux 2.6.10
Private report: No CVE-ID:
 [2005-03-09 08:07 UTC] MageOfChrisz at Gmail dot com
(Most of what I say here can be found at

When putting "xml_parser_free" in a function assigned to the XML parser with xml_set_element_handler, Apache/PHP Gives a Segmentation Fault.

The only browser that you can feasibly see it blow up, would be in lynx. In FireFox, if you're at and type in the link to the file ( it will still show and fail to load the new page. A similar result occurs with Internet Explorer, but in Lynx it'll say: 

"Alert!: Unexpected Network read error; connection aborted;"

I made a PHP5.0.4-dev build (as of Mar 09, 2005 05:30 GMT) from

This was originally discovered in PHP 5.0.3, and then tested in PHP5.0.4-dev

Reproduce code:
You can find the code (neatly) here:

Expected result:
Some sort of error telling me not to do what I was doing (due to lack of sleep) or the xml resource actually being freed

Actual result:
Segmentation Fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-09 11:40 UTC]
Starting program: /usr/src/dev/php-src/sapi/cli/php /www/function_example.php
[Thread debugging using libthread_db enabled]
[New Thread 1080248256 (LWP 30048)]
<foo bar="example" />
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1080248256 (LWP 30048)]
0x08225b82 in _xml_endElementHandler (userData=0x85813ac, name=0x856fd68 "foo") at /usr/src/dev/php-src/ext/xml/xml.c:768
768                                     add_assoc_string(*(parser->ctag),"type","complete",1);
(gdb) bt
#0  0x08225b82 in _xml_endElementHandler (userData=0x85813ac, name=0x856fd68 "foo") at /usr/src/dev/php-src/ext/xml/xml.c:768
#1  0x08228569 in _end_element_handler (user=0x8582164, name=0x857cf5f "foo") at /usr/src/dev/php-src/ext/xml/compat.c:143
#2  0x40551d57 in xmlParseTryOrFinish (ctxt=0x857fe68, terminate=0) at parser.c:9261
#3  0x4055288f in xmlParseChunk__internal_alias (ctxt=0x857fe68,
    chunk=0x857ce4c "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?> \n<php> \n  <example> \n    <foo bar=\"example\" /> \n  </example> \n</php> ", size=139963800,
    terminate=0) at parser.c:9872
#4  0x08228ccc in php_XML_Parse (parser=0x8582164,
    data=0x857ce4c "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?> \n<php> \n  <example> \n    <foo bar=\"example\" /> \n  </example> \n</php> ", data_len=113, is_final=0)
    at /usr/src/dev/php-src/ext/xml/compat.c:512
#5  0x08227114 in zif_xml_parse (ht=2, return_value=0x857cef4, this_ptr=0x0, return_value_used=0) at /usr/src/dev/php-src/ext/xml/xml.c:1333
#6  0x08293dec in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffcbb0) at zend_vm_execute.h:175
#7  0x08296890 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffcbb0) at zend_vm_execute.h:1535
#8  0x08293b06 in execute (op_array=0x857ac9c) at zend_vm_execute.h:78
#9  0x0826f69f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/php-src/Zend/zend.c:1058
#10 0x0822d0c9 in php_execute_script (primary_file=0xbfffefe0) at /usr/src/dev/php-src/main/main.c:1642
#11 0x082e2db9 in main (argc=2, argv=0xbffff0b4) at /usr/src/dev/php-src/sapi/cli/php_cli.c:944
(gdb) p *parser
$1 = {index = 1515870810, case_folding = 1515870810, parser = 0x5a5a5a5a, target_encoding = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, startElementHandler = 0x5a5a5a5a,
  endElementHandler = 0x5a5a5a5a, characterDataHandler = 0x5a5a5a5a, processingInstructionHandler = 0x5a5a5a5a, defaultHandler = 0x5a5a5a5a,
  unparsedEntityDeclHandler = 0x5a5a5a5a, notationDeclHandler = 0x5a5a5a5a, externalEntityRefHandler = 0x5a5a5a5a, unknownEncodingHandler = 0x5a5a5a5a,
  startNamespaceDeclHandler = 0x5a5a5a5a, endNamespaceDeclHandler = 0x5a5a5a5a, startElementPtr = 0x5a5a5a5a, endElementPtr = 0x5a5a5a5a, characterDataPtr = 0x5a5a5a5a,
  processingInstructionPtr = 0x5a5a5a5a, defaultPtr = 0x5a5a5a5a, unparsedEntityDeclPtr = 0x5a5a5a5a, notationDeclPtr = 0x5a5a5a5a, externalEntityRefPtr = 0x5a5a5a5a,
  unknownEncodingPtr = 0x5a5a5a5a, startNamespaceDeclPtr = 0x5a5a5a5a, endNamespaceDeclPtr = 0x5a5a5a5a, object = 0x5a5a5a5a, data = 0x5a5a5a5a, info = 0x5a5a5a5a,
  level = 1515870810, toffset = 1515870810, curtag = 1515870810, ctag = 0x5a5a5a5a, ltags = 0x5a5a5a5a, lastwasopen = 1515870810, skipwhite = 1515870810,
  baseURI = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>}
 [2005-04-28 14:21 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 15:01:37 2015 UTC