php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32494 crash when using expat in a class (Works with PHP 5.1)
Submitted: 2005-03-30 02:05 UTC Modified: 2008-07-11 21:24 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:1 (25.0%)
Same OS:2 (50.0%)
From: evert at rooftopsolutions dot nl Assigned:
Status: Wont fix Package: XML related
PHP Version: 4CVS-2005-07-30 OS: Linux glibc 2.3.4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: evert at rooftopsolutions dot nl
New email:
PHP Version: OS:

 

 [2005-03-30 02:05 UTC] evert at rooftopsolutions dot nl 
Description:
------------
My PHP crashes when using expat functions in a class.
My scripts opens the 'test' file, but it doesn't matter if it exists or not.

Right now I'm unable to check this with the latest cvs, but I did test this on multiple servers running 4.3.10

Reproduce code:
---------------
<?

 class sParser {


       function onStartElement($parser,$name,$attribs) {

               return false;

       }

       function onEndElement($parser,$name) {

               return false;

       }

       function onCDATA($parser,$data) {

               return false;

       }

       function onProcessInstruction($parser,$target,$data) {

               return false;

       }


       function onXMLError($line,$errorcode,$errorstring) {

               return false;

       }


       function xmlparse($data) {

               $this->parser = xml_parser_create('UTF-8');
               xml_parser_set_option($this->parser,XML_OPTION_CASE_FOLDING,false);
               xml_set_element_handler($this->parser,array($this, 'onStartElement'),array($this,'onEndElement'));
               xml_set_character_data_handler($this->parser,array($this,'onCDATA'));
               xml_set_processing_instruction_handler($this->parser,array($this,'onProcessInstruction'));
               if (!xml_parse($this->parser,$data)) {
                       $this->onXMLError(xml_get_current_line_number($this->parser), xml_get_error_code($this->parser), xml_error_string(xml_get_error_code($
this->parser)));
                       return false;
               } else return $this->parsedData;

       }

       function execute($data) {

               return $this->xmlparse($data);

       }

 }

 $disp = new sParser();

 $disp->execute(file_get_contents('test'));


?> 

Expected result:
----------------
No errors

Actual result:
--------------
PHP Crash

my apache logs says:

[Tue Mar 29 07:07:25 2005] [notice] child pid 9106 exit signal Aborted (6)
*** glibc detected *** double free or corruption (!prev): 0x08205058 ***

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-05 00:10 UTC] rmartins at dcc dot online dot pt 
Try freeing the parser via xml_parser_free()

Ricardo Martins
 [2005-05-05 01:01 UTC] evert at rooftopsolutions dot nl 
Thank you rmartins!!!
 [2005-05-17 10:46 UTC] sniper@php.net 
Does NOT happen with PHP 5 (using libxml instead of expat)
 [2005-08-18 10:54 UTC] sniper@php.net 
See also bug #34150
 [2005-10-31 11:22 UTC] troels at kyberfabrikken dot dk 
Does anybody know for how long this problem have existed ? Will it be fixed with next release for php4 ?
xml_set_object does btw. not have the same problem.
 [2007-06-08 16:21 UTC] nick at prioritycolo dot com 
Still seeing this same issue in PHP 4.4.7 (two years later?!) with the CPanel build of Apache and PHP on Centos "4.5". Seeing core dumps with vBulletin's cron job, upgrading to PHP 5.x not a short-term option on the shared box in question.
--------------------------------------------------------
Back trace from the vBulletin cron.php throws me:
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x4a2137a5 in raise () from /lib/tls/libc.so.6
#2  0x4a215209 in abort () from /lib/tls/libc.so.6
#3  0x4a247a1a in __libc_message () from /lib/tls/libc.so.6
#4  0x4a24e2bf in _int_free () from /lib/tls/libc.so.6
#5  0x4a24e63a in free () from /lib/tls/libc.so.6
#6  0x08148414 in poolDestroy (pool=0x4a315840)
    at /home/cpapachebuild/buildapache/php-4.4.7/ext/xml/expat/xmlparse.c:5425
#7  0x0814a38b in php_XML_ParserFree (parser=0x86844d0)
    at /home/cpapachebuild/buildapache/php-4.4.7/ext/xml/expat/xmlparse.c:1055

etc etc etc
--------------------------------------------------------
Instant "*** glibc detected *** double free or corruption" occurs:
class test {
    function test() {
        // initialize parser
        $this->parser = xml_parser_create();
        xml_set_element_handler( $this->parser,
                                 array( & $this, "startTag" ),
                                 array( & $this, "endTag" )
                               );
    }
}
$parser = new test();
--------------------------------------------------------
Sigh, I'm guessing we may be SoL on this one...
 [2008-07-11 21:24 UTC] jani@php.net 
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 19:01:28 2024 UTC