php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38813 DOMEntityReference->__construct crashes when called explicitly
Submitted: 2006-09-13 16:35 UTC Modified: 2006-09-14 13:37 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ladislav dot prosek at matfyz dot cz Assigned: rrichards
Status: Closed Package: DOM XML related
PHP Version: 5.1.6 OS: Windows XP SP2 Pro
Private report: No CVE-ID:
 [2006-09-13 16:35 UTC] ladislav dot prosek at matfyz dot cz
Description:
------------
DOM XML classes contain __construct methods that behave in a quite unexpected way. You can call the constructor explicitly ending up with a broken object (e.g. "Couldn't fetch DOMAttr. Node no longer exists" whenever you access a method/property of the object).

Nevertheless, the constructor of DOMEntityReference, which is the subject of this report, is broken completely.

Reproduce code:
---------------
<?
  $ent = new DOMEntityReference("a");
  $ent->__construct("b");
?>

Expected result:
----------------
You decide :)

Actual result:
--------------
* CRASH *

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-13 16:38 UTC] ladislav dot prosek at matfyz dot cz
Correcting the summary (crashed -> crashes).
 [2006-09-13 22:11 UTC] judas dot iscariote at gmail dot com
gdb) bt full
#0  0x00000000004430e5 in php_libxml_decrement_node_ptr (object=0xa75310) at /home/cristian/php-src/ext/libxml/libxml.c:922
        ret_refcount = -1
        obj_node = (php_libxml_node_ptr *) 0x81
#1  0x0000000000441103 in php_libxml_clear_object (object=0xa75310) at /home/cristian/php-src/ext/libxml/libxml.c:161
No locals.
#2  0x0000000000441148 in php_libxml_unregister_node (nodep=0x2af82f48abe0)
    at /home/cristian/php-src/ext/libxml/libxml.c:174
        wrapper = (php_libxml_node_object *) 0xa75310
        nodeptr = (php_libxml_node_ptr *) 0xa75290
#3  0x00000000004433f3 in php_libxml_node_free_resource (node=0x2af82f48abe0)
    at /home/cristian/php-src/ext/libxml/libxml.c:1006
No locals.
#4  0x00000000004a73fe in zim_domentityreference___construct (ht=1, return_value=0x2af82f48ab80, return_value_ptr=0x0,
    this_ptr=0x2af82f4892c0, return_value_used=0) at /home/cristian/php-src/ext/dom/entityreference.c:78
        id = (zval *) 0x2af82f4892c0
        node = (xmlNode *) 0xa75330
        oldnode = (xmlNodePtr) 0x2af82f48abe0
        intern = (dom_object *) 0x2af82f48c110
        name = 0x2af82f48ab30 "b"
        name_len = 1
        name_valid = 0
#5  0x00000000006b479a in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7b683890)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2af82f48a5c0
        original_return_value = (zval **) 0x66ab0d
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x6fa2f53dc00
#6  0x00000000006b5616 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff7b683890)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:322
No locals.
#7  0x00000000006b41e7 in execute (op_array=0x2af82f489f38) at /home/cristian/php-src/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2af82f48a5c0, function_state = {function_symbol_table = 0x0, function = 0x9d0e10,
    reserved = {0x2af82f48a068, 0x7fff7b6838f0, 0x67f53c, 0x0}}, fbc = 0x9d0e10, op_array = 0x2af82f489f38,
  object = 0x2af82f4892c0, Ts = 0x7fff7b683770, CVs = 0x7fff7b683750, original_in_execution = 0 '\0',
  symbol_table = 0x944368, prev_execute_data = 0x0, old_error_reporting = 0x0}
#8  0x000000000068c639 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff7b683b20, reg_save_area = 0x7fff7b683a60}}
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff7b683b20, reg_save_area = 0x7fff7b683a60}}
---Type <return> to continue, or q <return> to quit---
        i = 1
        file_handle = (zend_file_handle *) 0x7fff7b685f20
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0


#9  0x000000000062e1fe in php_execute_script (primary_file=0x7fff7b685f20) at /home/cristian/php-src/main/main.c:1759
        realfile = "/home/cristian/php-src/dom.php\000\000\006\000\000\177\000\000Y;i\000\000\000\000\000&#563;&#65533;*\000\000\004&#65533;*\000\000\006\000\000\177\000\000&#65533;232\220", '\0' <repeats 13 times>, "0ah{\177", '\0' <repeats 26 times>, "&#65533;B/*\000\000\001\000\000\000\177\000\000\000\000\000\000\000\000\000\000str_pad\000\000z\000\000\000\000\000&#563;&#65533;*\000\000\000&#65533;/*\000\000\200Lh{\177\000\000B5C/*\000\000p\a0*\000\000\000&#65533;\000\000\000\000\000&#65533;027\225\000\000\000\000\000,\200i"...
        orig_bailout = (jmp_buf *) 0x7fff7b685da0
        bailout = {{__jmpbuf = {47245434280960, -69214136192287935, 0, 140735263826224, 0, 0, -69214136192279183,
      -69130816930170570}, __mask_was_saved = 0, __saved_mask = {__val = {6788758, 140735263824896, 6728568,
        47244640256323, 2070436912, 0, 2263447764992, 8057064, 47245433541408, 140735263825168, 7408586, 8057064, 492, 0,
        0, 3}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff7b683b40 ""
        retval = 0
#10 0x0000000000711a7d in main (argc=2, argv=0x7fff7b686138) at /home/cristian/php-src/sapi/cli/php_cli.c:1102
        orig_bailout = (jmp_buf *) 0x0
        bailout = {{__jmpbuf = {47245434280960, -69214136192301567, 0, 140735263826224, 0, 0, -69214136192287887,
      -69130816930977452}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 140735263825552, 0, 0, 0, 0, 1706748291,
        47245434283584, 47245434285408, 281474976710656, 0, 0, 0, 0}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff7b686eff "dom.php",
  opened_path = 0x2af82f489ed0 'Z' <repeats 31 times>, "\204&#65533;217*", handle = {fd = 10965648, fp = 0xa75290, stream = {
      handle = 0xa75290, reader = 0x6a6208 <zend_stream_stdio_reader>, closer = 0x6a6234 <zend_stream_stdio_closer>,
      fteller = 0x6a625e <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff7b686eff "dom.php"
        arg_excp = (char **) 0x7fff7b686140
        script_file = 0x7fff7b686eff "dom.php"
        interactive = 0
  module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
 [2006-09-14 13:37 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 12:02:07 2014 UTC