php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34952 double free when passing node from external document() to a PHP function
Submitted: 2005-10-21 22:57 UTC Modified: 2005-10-22 13:11 UTC
From: theo at crazygreek dot co dot uk Assigned:
Status: Closed Package: XSLT related
PHP Version: 5.0.5 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2005-10-21 22:57 UTC] theo at crazygreek dot co dot uk 
Description:
------------
Performing a PHP callback from within an XSLT template with a parameter of an element that is inside a external XML document causes a double free, followed by crash.  Running latest stable PHP.

Reproduce code:
---------------
=========
crash.php
=========

  $xslt = new XsltProcessor();
  $xslt->registerPHPFunctions();
  $xslt->importStyleSheet(DOMDocument::load('test.xsl'));

  echo $xslt->transformToDoc(new DOMDocument())->saveXml();

  function crashMe() {
    return null;
  }

=========
crash.xsl
=========

<xsl:stylesheet 
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
   xmlns:php="http://php.net/xsl" version="1.0">

  <xsl:template match="/">
    <xsl:copy-of select="php:function('crashMe', document('crash.xml'))"/>
  </xsl:template>

</xsl:stylesheet>

=========
crash.xml
=========

<?xml version="1.0"?>
<crashed/>

Expected result:
----------------
Just the following:

<?xml version="1.0"?>


Actual result:
--------------
A crash!

*** glibc detected *** double free or corruption (fasttop): 0x085d8540 ***
Aborted

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-21 22:59 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2005-10-21 23:20 UTC] theo at crazygreek dot co dot uk 
I'm afraid I don't have the time to keep a seperate server running with latest PHP on.

As it happens, a colleauge happens to have a cvs version installed and i've asked him to test and report findings here.

As a note, if he didn't have a copy installed, my reponse would still have been just the first paragraph of this comment.  I'm a developer, not a quality assurance tester, and i do not expect to have to constantly keep latest CVS compiled somewhere just so i can test something every time PHP crashes.
 [2005-10-21 23:30 UTC] tony2001@php.net 
I didn't ask you to setup a separate server or to test PHP contstantly or did I?
I asked you to download the latest snapshot and give it a try (you do know that you don't have to do `make install`, right?).

It works fine for me with latest CVS.
Please reopen the report if you still can reproduce it with latest snapshots.
 [2005-10-22 00:19 UTC] theo at crazygreek dot co dot uk 
> I didn't ask you to setup a separate server or to test PHP contstantly or did I?

No, however a number of bugs i and colleauges have opened in the past have recieved exactly the same response [1] - to which exaxtly the same response has been provided [2].

> I asked you to download the latest snapshot and give it a 
> try (you do know that you don't have to do `make install`,
> right?).

As stated before, i don't have time.  Testing PHP bugs is not my job.  I'm happy to report them if they appear under latest stable, i'm not happy to test them under different versions other than latest stable, though.

> It works fine for me with latest CVS.

"Test case does not happen under latest CVS HEAD (date xxx) for me with, running libxml xxx, libxslt xxx.  If you would like to test under latest CVS and it appears still broken, feel free to re-open ticket"

... i would would be a lot more suitable initial response for people who take the time and effort to produce the bug in a test case, after you have tested it.


1 - e.g, <http://bugs.php.net/bug.php?id=34495>
2 - Although almost all of the comments got deleted (or at least not viewable to the public).
 [2005-10-22 13:11 UTC] chregu@php.net 
works for me with 5.1-dev, crashes on 5.0.5. 

therefore the issue seemse to be solved in the latest 
snapshots
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Apr 28 23:01:32 2024 UTC