PHP :: Bug #38017 :: Segfault on xml_parser

Bug #38017

Segfault on xml_parser_create() call

Submitted:

2006-07-05 17:32 UTC

Modified:

2010-12-20 12:14 UTC

Votes:	3
Avg. Score:	3.3 ± 1.7
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

baco at infomaniak dot ch

Assigned:

Status:

No Feedback

Package:

XML related

PHP Version:

5.1.4

OS:

Linux Debian Sarge

Private report:

CVE-ID:

None

View Developer Edit

[2006-07-05 17:32 UTC] baco at infomaniak dot ch

Description:
------------
PHP5 Segmentation fault when a script call       
xml_parser_create() under Apache but not when called       
from the CLI ?!? 
      
$ wget -O- http://.../xml.php      
     
=> Crash of Apache thread  
 
HTTP request sent, awaiting response... 
End of file while parsing headers. 
Retrying. 
child pid ... exit signal Segmentation fault (11)   
   
$ php xml.php     
     
=> result OK  

Reproduce code:
---------------
PHP Code to reproduce the segmentation fault inside Apache

    $file = "data.xml";
    $data = '';

    if (!($fp = fopen($file, "r"))) {
        die("could not open XML input");
    }
    while (!feof($fp)) {
        $data .= fread($fp, 8192);
    }
    fclose($fp);

    $xml_parser = xml_parser_create("ISO-8859-1");
    # crash at this point
    xml_parse_into_struct($xml_parser, $data, $vals, $index);
    xml_parser_free($xml_parser);
    print_r($vals);


Expected result:
----------------
Expected to return on Apache but only output this when I  
call the script from PHP CLI. 
  
Array   
(   
    [0] => Array   
        (   
           ...   
        )  
 ...  
)  
 

Actual result:
--------------
N.B.  
php.ini and php-cli.ini are the same.    
ldd on php cli and on libphp5.so both  
use same libxml2 from Debian Sarge.   
 
Result 
 
(gdb) continue 
 
Program received signal SIGSEGV, Segmentation fault. 
[Switching to Thread -1210239712 (LWP 28800)] 
0x0808b14c in XML_ParserFree () 
 
strace 
 
open("/home/www/29212ea8a58d20e52ba0886bd64685bb/web/test-xml/data.xml", 
O_RDONLY) = 7 
fstat64(7, {st_mode=S_IFREG|0644, st_size=113, ...}) = 0 
lseek(7, 0, SEEK_CUR)                   = 0 
read(7, "<?xml version=\"1.0\" encoding=\"IS"..., 8192) = 
113 
read(7, "", 8192)                       = 0 
close(7)                                = 0 
--- SIGSEGV (Segmentation fault) @ 0 (0) --- 
chdir("/opt/apache")                    = 0 
rt_sigaction(SIGSEGV, {SIG_DFL}, {SIG_DFL}, 8) = 0 
getpid()                                = 28871 
kill(28871, SIGSEGV)                    = 0 
sigreturn()                             = ? (mask now []) 
--- SIGSEGV (Segmentation fault) @ 0 (0) --- 
 
PHP Compiled with 
 
'./configure' '--prefix=/opt/php' '--mandir=/usr/share/man' 
'--with-apxs=/opt/apache/bin/apxs' '--disable-cgi' 
'--with-config-file-path=/opt/php/lib' '--disable-sigchild' 
'--disable-ipv6' '--disable-all' '--enable-libxml' 
'--with-libxml-dir' '--with-openssl' '--with-kerberos' 
'--with-pcre-regex' '--with-zlib' '--with-zlib-dir' 
'--enable-bcmath' '--enable-calendar' '--enable-ctype' 
'--with-curl' '--enable-dom' '--enable-exif' '--enable-ftp' 
'--with-openssl-dir' '--with-gd' '--with-jpeg-dir' 
'--with-png-dir' '--with-xpm-dir' '--with-ttf' 
'--with-freetype-dir' '--enable-gd-native-ttf' 
'--with-gettext' '--with-gmp' '--with-iconv' '--with-imap' 
'--with-imap-ssl' '--enable-mbstring' '--enable-mbregex' 
'--with-mcrypt' '--with-mhash' 
'--with-mysql=/opt/misc/mysql' 
'--with-mysqli=/opt/misc/mysql/bin/mysql_config' 
'--enable-pdo' '--with-pdo-mysql=/opt/misc/mysql' 
'--enable-posix' '--enable-session' '--enable-simplexml' 
'--enable-soap' '--enable-spl' '--with-tidy' 
'--enable-tokenizer' '--enable-wddx' '--enable-xml' 
'--with-libexpat-dir' '--with-xmlrpc' '--with-iconv-dir' 
'--with-xsl' '--with-pear' '--enable-memory-limit' 
'--enable-zend-multibyte' '--with-ming=/opt/misc/ming' 
'--enable-debug'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-07-05 17:34 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.

[2006-07-05 17:51 UTC] baco at infomaniak dot ch

Exemple without any external xml.  
  
$ cat test.php   
   
<?php   
 $data = '<?xml version="1.0"   
encoding="ISO-8859-1" ?><baco></baco>';   
 $xml_parser = xml_parser_create("ISO-8859-1");   
 xml_parse_into_struct($xml_parser, $data, $vals, $index);   
 xml_parser_free($xml_parser);   
 print_r($vals);   
?>   
   
$ /opt/php/bin/php test.php   
   
Array   
(   
    [0] => Array   
        (   
            [tag] => BACO   
            [type] => complete   
            [level] => 1   
        )   
   
)   
   
$ wget -O- http://localhost/test.php                                        
   
Connecting to localhost[127.0.0.1]:80... connected.   
HTTP request sent, awaiting response...   
End of file while parsing headers.   
Retrying.   
...looping forever...   
   
$ tail -n1 /var/log/httpd/error   
[Wed Jul  5 19:48:49 2006] [notice] child pid 28993 exit   
signal Segmentation fault (11)

[2006-07-05 18:06 UTC] baco at infomaniak dot ch

New strace of previous code 
 
open("/home/www/29212ea8a58d20e52ba0886bd64685bb/web/test.php", 
O_RDONLY) = 7 
fstat64(7, {st_mode=S_IFREG|0644, st_size=235, ...}) = 0 
lseek(7, 0, SEEK_CUR)                   = 0 
read(7, "<?php\n\t$data = \'<?xml version=\"1"..., 8192) = 
235 
read(7, "", 8192)                       = 0 
read(7, "", 8192)                       = 0 
brk(0)                                  = 0x85f2000 
brk(0x8613000)                          = 0x8613000 
close(7)                                = 0 
--- SIGSEGV (Segmentation fault) @ 0 (0) --- 
chdir("/opt/apache")                    = 0 
rt_sigaction(SIGSEGV, {SIG_DFL}, {SIG_DFL}, 8) = 0 
getpid()                                = 29068 
kill(29068, SIGSEGV)                    = 0 
sigreturn()                             = ? (mask now []) 
--- SIGSEGV (Segmentation fault) @ 0 (0) --- 
Process 29068 detached 
 
New gdb output from new code 
 
(gdb) continue 
Continuing. 
Program received signal SIGSEGV, Segmentation fault. 
[Switching to Thread -1210239712 (LWP 29128)] 
0xb7e4e07f in memcpy () from /lib/tls/libc.so.6

[2006-07-05 18:11 UTC] tony2001@php.net

strace does not add any value.
But GDB backtrace could do that.
See this link http://bugs.php.net/bugs-generating-backtrace.php

[2006-07-05 18:23 UTC] baco at infomaniak dot ch

Thanks for the link how-to debug PHP because with first 
method I wasn't able to have a core file. 
 
gdb bin/httpd 
... 
Program received signal SIGSEGV, Segmentation fault. 
[Switching to Thread -1210309344 (LWP 29253)] 
0xb7e3d07f in memcpy () from /lib/tls/libc.so.6 
 
bt 
0xb7e3d07f in memcpy () from /lib/tls/libc.so.6 
(gdb) bt 
#0  0xb7e3d07f in memcpy () from /lib/tls/libc.so.6 
#1  0x0808b76f in XML_Parse () 
#2  0x085f03e4 in ?? () 
#3  0x00000039 in ?? () 
#4  0xb78e225e in _emalloc (size=140444644, 
    __zend_filename=0xb78a1ac0 
"U1?\211?\203?(\211D$\0301?\211D$\024??", 
    __zend_lineno=0, __zend_orig_filename=0x0, 
__zend_orig_lineno=0) 
    
at /tmp/INFOMANIAK/BUILD/php-5.1.4/20060705185658/php-5.1.4/Zend/zend_alloc.c:214 
#5  0xb7919aa8 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfb698c0) 
    at zend_vm_execute.h:200 
#6  0xb79191c8 in execute (op_array=0x85f009c) at 
zend_vm_execute.h:92 
#7  0xb78fb430 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) 
    
at /tmp/INFOMANIAK/BUILD/php-5.1.4/20060705185658/php-5.1.4/Zend/zend.c:1109 
#8  0xb78b77c3 in php_execute_script 
(primary_file=0xbfb6bc40) 
    
at /tmp/INFOMANIAK/BUILD/php-5.1.4/20060705185658/php-5.1.4/main/main.c:1732 
#9  0xb796fee9 in apache_php_module_main (r=0x812289c, 
display_source_mode=0) 
    
at /tmp/INFOMANIAK/BUILD/php-5.1.4/20060705185658/php-5.1.4/sapi/apache/sapi_apache.c:53 
#10 0xb7970aca in send_php (r=0x812289c, 
display_source_mode=0, filename=0x0) 
    
at /tmp/INFOMANIAK/BUILD/php-5.1.4/20060705185658/php-5.1.4/sapi/apache/mod_php5.c:661 
#11 0xb7970c53 in send_parsed_php (r=0x812289c) 
    
at /tmp/INFOMANIAK/BUILD/php-5.1.4/20060705185658/php-5.1.4/sapi/apache/mod_php5.c:676 
#12 0x08055dff in ap_invoke_handler () 
#13 0x0812289c in ?? () 
#14 0xb7b3f394 in zend_vm_decode.1 () 
from /opt/apache/libexec/libphp5.so 
#15 0x00000017 in ?? () 
#16 0xffffffff in ?? () 
#17 0xffffffff in ?? () 
#18 0xffffffff in ?? () 
#19 0x080c19b4 in ?? () 
#20 0x080c19a4 in ?? () 
#21 0x08122ba4 in ?? () 
#22 0xbfb6bfa0 in ?? () 
#23 0x00000002 in ?? () 
#24 0x0805592c in run_method () 
#25 0x00000017 in ?? () 
#26 0x085c5ce8 in ?? () 
#27 0x0812289c in ?? () 
#28 0x084ce32c in ?? () 
#29 0x0812289c in ?? () 
#30 0xb7f54d32 in add_env_module_vars_unset () 
   from /opt/apache/libexec/mod_env.so 
#31 0x00000017 in ?? () 
#32 0x00000000 in ?? () 
#33 0x084ce32c in ?? () 
#34 0x085c5ce8 in ?? () 
#35 0x0806f3c1 in process_request_internal () 
#36 0x0812289c in ?? () 
#37 0xb7f4dd68 in ?? () 
#38 0x00000001 in ?? () 
#39 0x00000000 in ?? () 
#40 0x0812421c in ?? () 
#41 0x080acece in priorities () 
#42 0xb7dd8974 in __libc_start_main () 
from /lib/tls/libc.so.6 
#43 0xb7dd8974 in __libc_start_main () 
from /lib/tls/libc.so.6 
#44 0x08050051 in _start () 
at ../sysdeps/i386/elf/start.S:102

[2006-07-05 18:35 UTC] tony2001@php.net

Uhm.. Now THAT doesn't make any sense to me.
What Apache version is that? And which MPM are you using if it's Apache 2? 
Also, please try to remove all those configure options which are not required to execute this piece of code. 
I guess just "./configure --with-apxs= ... --enable-debug" should be enough.

[2006-07-05 18:48 UTC] baco at infomaniak dot ch

Unable to reproduce the issue with  
  
'./configure' '--prefix=/opt/php' '--mandir=/usr/share/man'  
'--with-apxs=/opt/apache/bin/apxs' '--enable-debug'  
  
So a special configure option do this ... ?!?

[2006-07-05 18:54 UTC] tony2001@php.net

Yeah, that's what I thought - please try to add configure options one by one and see which one causes the problem.
Hint: I suspect it could be --with-curl or --with-openssl.

[2006-07-05 19:02 UTC] baco at infomaniak dot ch

This can also reproduce the bug 
so now I will remove one by one... until the rabbit ;-) 
 
'./configure' '--prefix=/opt/php' '--mandir=/usr/share/man'  
'--with-apxs=/opt/apache/bin/apxs' '--enable-debug'  
'--disable-all' '--enable-libxml' '--with-libxml-dir'  
'--enable-dom' '--with-xpm-dir' '--enable-simplexml'  
'--enable-xml' '--with-libexpat-dir' '--with-xmlrpc'  
  
N.B. We are using Apache 1.3.36

[2006-07-05 19:28 UTC] baco at infomaniak dot ch

So the answer is mixing together option "enable-xml" with   
"with-libexpat-dir" crash PHP when calling  
xml_parser_create().  
 
I hope you can identify the compilation bug now ?? 
 
./configure \ 
--prefix=${PREFIX} \ 
--mandir=/usr/share/man \ 
--with-apxs=/opt/apache/bin/apxs \ 
--enable-debug \ 
--disable-all \ 
--enable-xml \ 
--enable-libxml \ 
\ 
--with-libexpat-dir   
 
$ dpkg -l | grep expat 
ii  libexpat1      1.95.8-3       XML parsing C library - 
runtime library 
 
$ dpkg -l | grep expat 
ii  libexpat1      1.95.8-3       XML parsing C library - 
runtime library 
ii  libexpat1-dev  1.95.8-3       XML parsing C library - 
development kit

[2006-07-05 19:49 UTC] tony2001@php.net

--with-libexpat-dir option has been deprecated years ago and there is no sense in using it if you have libxml in your system.
Also, it works just fine here.

[2006-07-05 19:49 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-07-05 21:01 UTC] baco at infomaniak dot ch

Same issue with 
5e8837ebfe06a3d9b121e763ee34a969 php5.2-latest.tar.gz (200607051830)

So to help you to analyse the problem with 
--enable-xml --enable-libxml --with-libexpat-dir

I have pushed files to

http://imu77.infomaniak.ch/baco/

php5.2-200607051830-output.log -- the output of my compilation script
php5.2-200607051830.tar.gz -- the php source with compiled objects on Debian Sarge and all Makefile generated by configure.

I cannot do more. Our issue is resolved by removing with-libexpat-dir but the bug still present if libexpat used on our server.

[2006-07-05 21:13 UTC] tony2001@php.net

Did the GDB backtrace change when you removed all those ./configure options ?

[2006-07-05 21:23 UTC] baco at infomaniak dot ch

it look the same

./configure \
--prefix=${PREFIX} \
--mandir=/usr/share/man \
--with-apxs=/opt/apache/bin/apxs \
--enable-debug \
--disable-all \
--enable-xml \
--enable-libxml \
\
--with-libexpat-dir

$ gdb /opt/apache/bin/httpd 
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run -X
Starting program: /opt/apache/bin/httpd -X


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210223328 (LWP 31545)]
0xb7e52077 in memcpy () from /lib/tls/libc.so.6
(gdb) 

#0  0xb7e52077 in memcpy () from /lib/tls/libc.so.6
#1  0x0808b76f in XML_Parse ()
#2  0x0853b3c4 in ?? ()
#3  0x00000039 in ?? ()
#4  0xb7c1314b in _array_init (arg=0x4, __zend_filename=0x852ec3c "", __zend_lineno=0)
    at /tmp/INFOMANIAK/BUILD/php5.2-200607051830/20060705223915/php5.2-200607051830/Zend/zend_API.c:821
#5  0xb7c32e04 in zend_do_fcall_common_helper_SPEC (execute_data=0xbff80430) at zend_vm_execute.h:200
#6  0xb7c361a4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbff80430) at zend_vm_execute.h:1642
#7  0xb7c329bb in execute (op_array=0x853b1d4) at zend_vm_execute.h:92
#8  0xb7c10f81 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/INFOMANIAK/BUILD/php5.2-200607051830/20060705223915/php5.2-200607051830/Zend/zend.c:1110
#9  0xb7bc5fe6 in php_execute_script (primary_file=0xbff827f0) at /tmp/INFOMANIAK/BUILD/php5.2-200607051830/20060705223915/php5.2-200607051830/main/main.c:1748
#10 0xb7c7f0a7 in apache_php_module_main (r=0x812289c, display_source_mode=0)
    at /tmp/INFOMANIAK/BUILD/php5.2-200607051830/20060705223915/php5.2-200607051830/sapi/apache/sapi_apache.c:53
#11 0xb7c7ff1b in send_php (r=0x812289c, display_source_mode=0, filename=0x81245b4 "/home/www/555a1d69b0f4be4d6259cd00910c8ce1/web/baco/test.php")
    at /tmp/INFOMANIAK/BUILD/php5.2-200607051830/20060705223915/php5.2-200607051830/sapi/apache/mod_php5.c:665
#12 0xb7c7ff6f in send_parsed_php (r=0x812289c) at /tmp/INFOMANIAK/BUILD/php5.2-200607051830/20060705223915/php5.2-200607051830/sapi/apache/mod_php5.c:680
#13 0x08055dff in ap_invoke_handler ()
#14 0x0812289c in ?? ()
#15 0xb7d05689 in zend_vm_decode.1 () from /opt/apache/libexec/libphp5.so
#16 0x00000017 in ?? ()
#17 0xffffffff in ?? ()
#18 0xffffffff in ?? ()
#19 0xffffffff in ?? ()
#20 0x080c19b4 in ?? ()
#21 0x080c19a4 in ?? ()
#22 0x08122ba4 in ?? ()
#23 0xbff82b90 in ?? ()
#24 0x00000002 in ?? ()
#25 0x0805592c in run_method ()
#26 0x00000017 in ?? ()
#27 0x08513138 in ?? ()
#28 0x0812289c in ?? ()
#29 0x083cac3c in ?? ()
#30 0x0812289c in ?? ()
#31 0xb7f69d32 in add_env_module_vars_unset () from /opt/apache/libexec/mod_env.so
#32 0x00000017 in ?? ()
#33 0x00000000 in ?? ()
#34 0x083cac3c in ?? ()
#35 0x08513138 in ?? ()
#36 0x0806f3c1 in process_request_internal ()
#37 0x0812289c in ?? ()
#38 0x080af210 in status_lines ()
#39 0xbff82d18 in ?? ()
#40 0x080515ff in ap_table_get ()
#41 0x08124224 in ?? ()
#42 0x080acece in priorities ()
#43 0xb7ded974 in __libc_start_main () from /lib/tls/libc.so.6
#44 0xb7ded974 in __libc_start_main () from /lib/tls/libc.so.6
#45 0x08050051 in _start () at ../sysdeps/i386/elf/start.S:102
(gdb)

[2006-07-06 20:16 UTC] tony2001@php.net

I'm still unable to reproduce it.
Please check if you can replicate it on another machine (preferably with different Linux distro).

[2006-07-14 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2010-12-20 12:14 UTC] jani@php.net

-Package: Tidy +Package: XML related

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 11:01:30 2024 UTC