php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34800 Function Crashes PHP
Submitted: 2005-10-10 02:05 UTC Modified: 2005-10-18 01:00 UTC
From: brad at hostland dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5CVS-2005-10-10 (snap) OS: Trustix 2.4-kernel
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brad at hostland dot com
New email:
PHP Version: OS:

 

 [2005-10-10 02:05 UTC] brad at hostland dot com 
Description:
------------
The function listed below is crashing PHP constantly. It only crashes when certain data is passed to the function and I don't know enough about gdb to tell you the specific data that would make it crash. Hopefully you will be able to figure it out from the backtrace.

I was having this problem with 5.0.5, so I installed the latest 5.1 snapshot and it still has the same problem. Please let me know if you want me to send you an actual core dump, or if there are additional gdb commands you want me to run against the core dump.

Reproduce code:
---------------
function _checkNodeTest($contextPath, $nodeTest) {
    if ($nodeTest == '*') {
      return (!preg_match(':/[^/]+\(\)\[\d+\]$:U', $contextPath));
    }
    elseif (preg_match('/^[\w-:\.]+$/', $nodeTest)) {
       return (preg_match('"/'.$nodeTest.'\[\d+\]$"', $contextPath));
    }
    elseif (preg_match('/\(/U', $nodeTest)) { // Check whether it's a function.
      // Get the type of function to use.
      $function = $this->_prestr($nodeTest, '(');
      // Check whether the node fits the method.
      switch ($function) {
        case 'node':   // Add this node to the list of nodes.
          return TRUE;
        case 'text':   // Check whether the node has some text.
          $tmp = implode('', $this->nodeIndex[$contextPath]['textParts']);
          if (!empty($tmp)) {
            return TRUE; // Add this node to the list of nodes.
          }
          break;       
        default:  // Display an error message.
          $this->_displayError('While parsing an XPath query there was an undefined function called "' .
             str_replace($function, '<b>'.$function.'</b>', $this->currentXpathQuery) .'"', __LINE__, __FILE__);
      }
    }
    else { // Display an error message.
      $this->_displayError("While parsing the XPath query \"{$this->currentXpathQuery}\" ".
        "an empty and therefore invalid node-test has been found.", __LINE__, __FILE__, FALSE);
    }
    return FALSE; // Don't add this context.
  }

Expected result:
----------------
The function should return a boolean value indicating whether or not the string that was passed to it is a valid XPath node.

Actual result:
--------------
(gdb) bt
#0  0x082b9d5b in is_numeric_string (str=0x876a934 "node()", length=6,
    lval=0xbf9fff54, dval=0xbf9fff48, allow_errors=0 '\0')
    at zend_operators.h:83
#1  0x082b999e in zendi_smart_strcmp (result=0xbfa00060, s1=0x879ee0c,
    s2=0x85faa04) at /tmp/php5-200510092230/Zend/zend_operators.c:1894
#2  0x082b81c0 in compare_function (result=0xbfa00060, op1=0x879ee0c,
    op2=0x85faa04) at /tmp/php5-200510092230/Zend/zend_operators.c:1318
#3  0x082b8daf in is_equal_function (result=0xbfa00060, op1=0x879ee0c,
    op2=0x85faa04) at /tmp/php5-200510092230/Zend/zend_operators.c:1474
#4  0x08316795 in ZEND_IS_EQUAL_SPEC_CV_CONST_HANDLER (execute_data=0xbfa00330)
    at zend_vm_execute.h:19994
#5  0x082e4226 in execute (op_array=0x8680dcc) at zend_vm_execute.h:88
#6  0x082e4690 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfa00600)
    at zend_vm_execute.h:224
#7  0x082e4acd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfa00600)
    at zend_vm_execute.h:310
#8  0x082e4226 in execute (op_array=0x868158c) at zend_vm_execute.h:88
#9  0x082e4690 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfa008d0)
    at zend_vm_execute.h:224
#10 0x082e4acd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfa008d0)
    at zend_vm_execute.h:310
#11 0x082e4226 in execute (op_array=0x868158c) at zend_vm_execute.h:88
#12 0x082e4690 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfa00ba0)
    at zend_vm_execute.h:224

(gdb) frame 5
#5  0x082e4226 in execute (op_array=0x8680dcc) at zend_vm_execute.h:88
88                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.funtion_name
$2 = 0x85f607c "_checkNodeTest"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-10 07:48 UTC] sniper@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.
 [2005-10-18 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 10:01:29 2024 UTC