php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40598 libxml segfault
Submitted: 2007-02-22 23:08 UTC Modified: 2007-02-23 11:22 UTC
From: incastrix at yahoo dot it Assigned:
Status: Closed Package: XML related
PHP Version: 5CVS-2007-02-22 (CVS) OS: debian etch
Private report: No CVE-ID:
 [2007-02-22 23:08 UTC] incastrix at yahoo dot it
Description:
------------
libxml segfaults when xml document was loaded with  LIBXML_COMPACT flag and try to remove a node.

libxml 2.6.27

Reproduce code:
---------------
$doc = DOMDocument::loadXML('<root><father><child  xml:id="remove" /></father></root>', LIBXML_COMPACT);
$node = $doc->getElementByID('remove');
$node->parentNode->removeChild( $node );

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210758944 (LWP 27086)]
php_libxml_node_free_list (node=0x70706970) at /usr/local/src/php5.2-200702222130/ext/libxml/libxml.c:236
236                             switch (node->type) {
(gdb) bt
#0  php_libxml_node_free_list (node=0x70706970) at /usr/local/src/php5.2-200702222130/ext/libxml/libxml.c:236
#1  0xb7a310b0 in php_libxml_node_free_list (node=<value optimized out>)
    at /usr/local/src/php5.2-200702222130/ext/libxml/libxml.c:253
#2  0xb7a310f9 in php_libxml_node_free_list (node=<value optimized out>)
    at /usr/local/src/php5.2-200702222130/ext/libxml/libxml.c:249
#3  0xb7a3115b in php_libxml_node_free_resource (node=0x82247c0)
    at /usr/local/src/php5.2-200702222130/ext/libxml/libxml.c:1005
#4  0xb7a311f8 in php_libxml_node_decrement_resource (object=0xb7799708)
    at /usr/local/src/php5.2-200702222130/ext/libxml/libxml.c:1028
#5  0xb7a65864 in dom_objects_free_storage (object=0xb7799708) at /usr/local/src/php5.2-200702222130/ext/dom/php_dom.c:974
#6  0xb7c298a7 in zend_objects_store_del_ref_by_handle (handle=2)
    at /usr/local/src/php5.2-200702222130/Zend/zend_objects_API.c:206
#7  0xb7c298e7 in zend_objects_store_del_ref (zobject=0xb7799848)
    at /usr/local/src/php5.2-200702222130/Zend/zend_objects_API.c:168
#8  0xb7c02199 in _zval_ptr_dtor (zval_ptr=0xb7796f60) at /usr/local/src/php5.2-200702222130/Zend/zend_variables.h:35
#9  0xb7c17667 in zend_hash_apply_deleter (ht=0xb7d53990, p=0xb7796f54)
    at /usr/local/src/php5.2-200702222130/Zend/zend_hash.c:611
#10 0xb7c17768 in zend_hash_reverse_apply (ht=0xb7d53990, apply_func=0xb7c018d0 <zval_call_destructor>)
    at /usr/local/src/php5.2-200702222130/Zend/zend_hash.c:760
#11 0xb7c020fe in shutdown_destructors () at /usr/local/src/php5.2-200702222130/Zend/zend_execute_API.c:211
#12 0xb7c0e300 in zend_call_destructors () at /usr/local/src/php5.2-200702222130/Zend/zend.c:846
#13 0xb7bcfd88 in php_request_shutdown (dummy=0x0) at /usr/local/src/php5.2-200702222130/main/main.c:1279
#14 0xb7c8642d in php_handler (r=0x821d578) at /usr/local/src/php5.2-200702222130/sapi/apache2handler/sapi_apache2.c:463
#15 0x08074617 in ap_run_handler (r=0x821d578) at config.c:157
#16 0x08077707 in ap_invoke_handler (r=0x821d578) at config.c:372
#17 0x0808deb8 in ap_process_request (r=0x821d578) at http_request.c:258
#18 0x0808b15e in ap_process_http_connection (c=0x8219558) at http_core.c:184
#19 0x0807b4d7 in ap_run_process_connection (c=0x8219558) at connection.c:43
#20 0x080a10a4 in child_main (child_num_arg=<value optimized out>) at prefork.c:640
#21 0x080a1304 in make_child (s=0x80ccc80, slot=0) at prefork.c:680
#22 0x080a20ca in ap_mpm_run (_pconf=0x80c80a8, plog=0x81061a0, s=0x80ccc80) at prefork.c:956
#23 0x0806222f in main (argc=135029024, argv=0x0) at main.c:717


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-23 11:22 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

*NOTE*: LIBXML_COMPACT should really only be used when reading a document as it is unpredictable (within the libxml2 library itself) when using it and modifying a document.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 10:02:10 2014 UTC