php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #33743 Segfault with replaceChild and entities
Submitted: 2005-07-18 10:18 UTC Modified: 2005-07-18 11:49 UTC
From: aidan@php.net Assigned:
Status: Closed Package: DOM XML related
PHP Version: 5.0.4 OS: N/A
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: aidan@php.net
New email:
PHP Version: OS:

 

 [2005-07-18 10:18 UTC] aidan@php.net 
Description:
------------
Segfault using replaceChild.

PHP 4.3.11, LibXML v2.6.9

Reproduce code:
---------------
<?php
// Main document
$xml = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<article>
 <articleinfo>
  <abstract>
   <para>foobar</para>
  </abstract>
 </articleinfo>
</article>';

// Load
$doc = new DomDocument;
$doc->resolveExternals = true;
$doc->loadXml($xml);

// Fragment
$frag = '<?xml version="1.0" encoding="utf-8" ?>';
$frag .= '<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">';
$frag .= '<abstract><para>&deg;</para></abstract>';

// Load
$dom = new DomDocument;
$dom->resolveExternals = true;
$dom->loadXML($frag);

// Locate the node
$xpath = new DOMXpath($doc);
$nodelist = $xpath->query('/article/articleinfo/abstract');
$oldnode = $nodelist->item(0);

// Replace the node
$newnode = $doc->importNode($dom->documentElement, true);
$oldnode->parentNode->replaceChild($newnode, $oldnode);

// Check
echo $doc->saveXml();
?>


Actual result:
--------------
# $ gdb /usr/local/bin/php core.2729
# GNU gdb Red Hat Linux (5.2-2)
# Copyright 2002 Free Software Foundation, Inc.
# GDB is free software, covered by the GNU General Public License, and you are
# welcome to change it and/or distribute copies of it under certain conditions.
# Type "show copying" to see the conditions.
# There is absolutely no warranty for GDB. Type "show warranty" for details.
# This GDB was configured as "i386-redhat-linux"...
# Core was generated by `php dom-replacechild.php'.
# Program terminated with signal 11, Segmentation fault.
# Reading symbols from /lib/libcrypt.so.1...done.
# Loaded symbols for /lib/libcrypt.so.1
# Reading symbols from /usr/lib/libexslt.so.0...done.
# Loaded symbols for /usr/lib/libexslt.so.0
# Reading symbols from /usr/lib/libz.so.1...done.
# Loaded symbols for /usr/lib/libz.so.1
# Reading symbols from /lib/i686/libm.so.6...done.
# Loaded symbols for /lib/i686/libm.so.6
# Reading symbols from /usr/lib/libmysqlclient.so.10...done.
# Loaded symbols for /usr/lib/libmysqlclient.so.10
# Reading symbols from /usr/lib/libbz2.so.1...done.
# Loaded symbols for /usr/lib/libbz2.so.1
# Reading symbols from /lib/libresolv.so.2...done.
# Loaded symbols for /lib/libresolv.so.2
# Reading symbols from /lib/libdl.so.2...done.
# Loaded symbols for /lib/libdl.so.2
# Reading symbols from /lib/libnsl.so.1...done.
# Loaded symbols for /lib/libnsl.so.1
# Reading symbols from /usr/lib/libxslt.so.1...done.
# Loaded symbols for /usr/lib/libxslt.so.1
# Reading symbols from /usr/lib/libxml2.so.2...done.
# Loaded symbols for /usr/lib/libxml2.so.2
# Reading symbols from /lib/i686/libpthread.so.0...done.
# Loaded symbols for /lib/i686/libpthread.so.0
# Reading symbols from /lib/i686/libc.so.6...done.
# Loaded symbols for /lib/i686/libc.so.6
# Reading symbols from /lib/ld-linux.so.2...done.
# Loaded symbols for /lib/ld-linux.so.2
# #0 0x401a60c0 in xmlStrEqual () from /usr/lib/libxml2.so.2
# (gdb) bt
# #0 0x401a60c0 in xmlStrEqual () from /usr/lib/libxml2.so.2
# #1 0x40160043 in xmlSearchNsByHref () from /usr/lib/libxml2.so.2
# #2 0x401602ae in xmlNewReconciliedNs () from /usr/lib/libxml2.so.2
# #3 0x4016048a in xmlReconciliateNs () from /usr/lib/libxml2.so.2
# #4 0x0808ac48 in zif_dom_node_replace_child (ht=2, return_value=0x8906d44, this_ptr=0x859ace4, return_value_used=0)
# at /usr/local/src/php-5.0.4/ext/dom/node.c:1187
# #5 0x081d04fb in zend_do_fcall_common_helper (execute_data=0xbfffd730, opline=0x841f424, op_array=0x841812c)
# at /usr/local/src/php-5.0.4/Zend/zend_execute.c:2727
# #6 0x081b781a in execute (op_array=0x841812c) at /usr/local/src/php-5.0.4/Zend/zend_execute.c:1406
# #7 0x0819b2c5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-5.0.4/Zend/zend.c:1069
# #8 0x0816d7aa in php_execute_script (primary_file=0xbffffad0) at /usr/local/src/php-5.0.4/main/main.c:1632
# #9 0x081d914c in main (argc=2, argv=0xbffffb74) at /usr/local/src/php-5.0.4/sapi/cli/php_cli.c:946
# #10 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
# (gdb) frame 6
# #6 0x081b781a in execute (op_array=0x841812c) at /usr/local/src/php-5.0.4/Zend/zend_execute.c:1406
# 1406 if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
# (gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
# $1 = 0x81db7a9 "replaceChild"
# (gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-18 11:49 UTC] aidan@php.net 
This can be fixed by updating libxml. (Confirmed with libxml 2.6.17).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 13 20:01:34 2024 UTC