php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32245 xml_parser_free() in a function assigned to the xml parser gives a segfault
Submitted: 2005-03-09 08:07 UTC Modified: 2005-04-28 14:21 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: MageOfChrisz at Gmail dot com Assigned:
Status: Closed Package: XML related
PHP Version: 5CVS-2005-03-09 OS: Linux 2.6.10
Private report: No CVE-ID:
 [2005-03-09 08:07 UTC] MageOfChrisz at Gmail dot com
Description:
------------
(Most of what I say here can be found at http://chrisallan.info/segfault/)

When putting "xml_parser_free" in a function assigned to the XML parser with xml_set_element_handler, Apache/PHP Gives a Segmentation Fault.

The only browser that you can feasibly see it blow up, would be in lynx. In FireFox, if you're at www.google.com and type in the link to the file (http://chrisallan.info/segfault/function_example.php) it will still show google.com and fail to load the new page. A similar result occurs with Internet Explorer, but in Lynx it'll say: 

"Alert!: Unexpected Network read error; connection aborted;"

I made a PHP5.0.4-dev build (as of Mar 09, 2005 05:30 GMT) from snaps.php.net.

This was originally discovered in PHP 5.0.3, and then tested in PHP5.0.4-dev

Reproduce code:
---------------
You can find the code (neatly) here:
http://chrisallan.info/segfault/

Expected result:
----------------
Some sort of error telling me not to do what I was doing (due to lack of sleep) or the xml resource actually being freed

Actual result:
--------------
Segmentation Fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-09 11:40 UTC] tony2001@php.net
Starting program: /usr/src/dev/php-src/sapi/cli/php /www/function_example.php
[Thread debugging using libthread_db enabled]
[New Thread 1080248256 (LWP 30048)]
<foo bar="example" />
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1080248256 (LWP 30048)]
0x08225b82 in _xml_endElementHandler (userData=0x85813ac, name=0x856fd68 "foo") at /usr/src/dev/php-src/ext/xml/xml.c:768
768                                     add_assoc_string(*(parser->ctag),"type","complete",1);
(gdb) bt
#0  0x08225b82 in _xml_endElementHandler (userData=0x85813ac, name=0x856fd68 "foo") at /usr/src/dev/php-src/ext/xml/xml.c:768
#1  0x08228569 in _end_element_handler (user=0x8582164, name=0x857cf5f "foo") at /usr/src/dev/php-src/ext/xml/compat.c:143
#2  0x40551d57 in xmlParseTryOrFinish (ctxt=0x857fe68, terminate=0) at parser.c:9261
#3  0x4055288f in xmlParseChunk__internal_alias (ctxt=0x857fe68,
    chunk=0x857ce4c "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?> \n<php> \n  <example> \n    <foo bar=\"example\" /> \n  </example> \n</php> ", size=139963800,
    terminate=0) at parser.c:9872
#4  0x08228ccc in php_XML_Parse (parser=0x8582164,
    data=0x857ce4c "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?> \n<php> \n  <example> \n    <foo bar=\"example\" /> \n  </example> \n</php> ", data_len=113, is_final=0)
    at /usr/src/dev/php-src/ext/xml/compat.c:512
#5  0x08227114 in zif_xml_parse (ht=2, return_value=0x857cef4, this_ptr=0x0, return_value_used=0) at /usr/src/dev/php-src/ext/xml/xml.c:1333
#6  0x08293dec in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffcbb0) at zend_vm_execute.h:175
#7  0x08296890 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffcbb0) at zend_vm_execute.h:1535
#8  0x08293b06 in execute (op_array=0x857ac9c) at zend_vm_execute.h:78
#9  0x0826f69f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/php-src/Zend/zend.c:1058
#10 0x0822d0c9 in php_execute_script (primary_file=0xbfffefe0) at /usr/src/dev/php-src/main/main.c:1642
#11 0x082e2db9 in main (argc=2, argv=0xbffff0b4) at /usr/src/dev/php-src/sapi/cli/php_cli.c:944
(gdb) p *parser
$1 = {index = 1515870810, case_folding = 1515870810, parser = 0x5a5a5a5a, target_encoding = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, startElementHandler = 0x5a5a5a5a,
  endElementHandler = 0x5a5a5a5a, characterDataHandler = 0x5a5a5a5a, processingInstructionHandler = 0x5a5a5a5a, defaultHandler = 0x5a5a5a5a,
  unparsedEntityDeclHandler = 0x5a5a5a5a, notationDeclHandler = 0x5a5a5a5a, externalEntityRefHandler = 0x5a5a5a5a, unknownEncodingHandler = 0x5a5a5a5a,
  startNamespaceDeclHandler = 0x5a5a5a5a, endNamespaceDeclHandler = 0x5a5a5a5a, startElementPtr = 0x5a5a5a5a, endElementPtr = 0x5a5a5a5a, characterDataPtr = 0x5a5a5a5a,
  processingInstructionPtr = 0x5a5a5a5a, defaultPtr = 0x5a5a5a5a, unparsedEntityDeclPtr = 0x5a5a5a5a, notationDeclPtr = 0x5a5a5a5a, externalEntityRefPtr = 0x5a5a5a5a,
  unknownEncodingPtr = 0x5a5a5a5a, startNamespaceDeclPtr = 0x5a5a5a5a, endNamespaceDeclPtr = 0x5a5a5a5a, object = 0x5a5a5a5a, data = 0x5a5a5a5a, info = 0x5a5a5a5a,
  level = 1515870810, toffset = 1515870810, curtag = 1515870810, ctag = 0x5a5a5a5a, ltags = 0x5a5a5a5a, lastwasopen = 1515870810, skipwhite = 1515870810,
  baseURI = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>}
 [2005-04-28 14:21 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 09:02:28 2014 UTC