php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40836 Segfault in ext/dom
Submitted: 2007-03-16 15:28 UTC Modified: 2007-03-18 21:32 UTC
From: hannes dot magnusson at gmail dot com Assigned: rrichards
Status: Closed Package: Reproducible crash
PHP Version: 5CVS-2007-03-16 (CVS) OS: FreeBSD
Private report: No CVE-ID:
 [2007-03-16 15:28 UTC] hannes dot magnusson at gmail dot com
Description:
------------
See reproduce code

Reproduce code:
---------------
<?php

$dom = new DOMDocument("1.0", "UTF-8");
$dom->preserveWhiteSpace = false;
$xml = '<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <entry xmlns="http://www.w3.org/2005/Atom">
    <updated>2007-02-14T00:00:00+01:00</updated>
    <content>
      <div xmlns="http://www.w3.org/1999/xhtml">
        <p>paragraph</p>
      </div>
    </content>
  </entry>
</feed>';
$dom->loadXML($xml);
$entry = $dom->getElementsByTagNameNS("http://www.w3.org/2005/Atom", "entry")->item(0);
$contentNode = $entry->getElementsByTagName("content")->item(0)->firstChild;
$dateNode    = $entry->getElementsByTagName("updated")->item(0)->firstChild;
$contentNode->firstChild->insertBefore($dateNode);



Actual result:
--------------
#0  xmlFreeNodeList (cur=0x5a5a5a5a) at tree.c:3364
3364        if (cur->type == XML_NAMESPACE_DECL) {
[New LWP 100095]
(gdb) bt
#0  xmlFreeNodeList (cur=0x5a5a5a5a) at tree.c:3364
#1  0x28562ce5 in xmlFreeNodeList (cur=0x28997b80) at tree.c:3386
#2  0x28562ce5 in xmlFreeNodeList (cur=0x28997c40) at tree.c:3386
#3  0x28562ce5 in xmlFreeNodeList (cur=0x28997c00) at tree.c:3386
#4  0x28562ce5 in xmlFreeNodeList (cur=0x28997bc0) at tree.c:3386
#5  0x28562ce5 in xmlFreeNodeList (cur=0x28997b00) at tree.c:3386
#6  0x28562ce5 in xmlFreeNodeList (cur=0x28997ac0) at tree.c:3386
#7  0x28563485 in xmlFreeDoc (cur=0x28840ac0) at tree.c:1216
#8  0x08082a84 in php_libxml_decrement_doc_ref (object=0x288ce8b0) at /usr/src/php/5.2/ext/libxml/libxml.c:966
#9  0x080c9f5f in dom_objects_free_storage (object=0x288ce8b0) at /usr/src/php/5.2/ext/dom/php_dom.c:977
#10 0x082c3308 in zend_objects_store_del_ref_by_handle (handle=1) at /usr/src/php/5.2/Zend/zend_objects_API.c:206
#11 0x082c31c3 in zend_objects_store_del_ref (zobject=0x288ccbac) at /usr/src/php/5.2/Zend/zend_objects_API.c:168
#12 0x082a3680 in _zval_dtor_func (zvalue=0x288ccbac, __zend_filename=0x83b9778 "/usr/src/php/5.2/Zend/zend_variables.h", 
    __zend_lineno=35) at /usr/src/php/5.2/Zend/zend_variables.c:52
#13 0x08297767 in _zval_dtor (zvalue=0x288ccbac, __zend_filename=0x83b971c "/usr/src/php/5.2/Zend/zend_execute_API.c", 
    __zend_lineno=414) at zend_variables.h:35
#14 0x08297920 in _zval_ptr_dtor (zval_ptr=0x288ce488, __zend_filename=0x83ba784 "/usr/src/php/5.2/Zend/zend_variables.c", 
    __zend_lineno=175) at /usr/src/php/5.2/Zend/zend_execute_API.c:414
#15 0x082a394f in _zval_ptr_dtor_wrapper (zval_ptr=0x288ce488) at /usr/src/php/5.2/Zend/zend_variables.c:175
#16 0x082af2ee in zend_hash_apply_deleter (ht=0x83ec710, p=0x288ce47c) at /usr/src/php/5.2/Zend/zend_hash.c:611
#17 0x082af769 in zend_hash_reverse_apply (ht=0x83ec710, apply_func=0x82972a4 <zval_call_destructor>)
    at /usr/src/php/5.2/Zend/zend_hash.c:760
#18 0x08297326 in shutdown_destructors () at /usr/src/php/5.2/Zend/zend_execute_API.c:211
#19 0x082a4ce2 in zend_call_destructors () at /usr/src/php/5.2/Zend/zend.c:845
#20 0x0825cce6 in php_request_shutdown (dummy=0x0) at /usr/src/php/5.2/main/main.c:1280
#21 0x0830c15b in main (argc=2, argv=0xbfbfebec) at /usr/src/php/5.2/sapi/cli/php_cli.c:1294

gdb) frame 1
#1  0x28562ce5 in xmlFreeNodeList (cur=0x2899a300) at tree.c:3386
3386                    xmlFreeNodeList(cur->children);
(gdb) p *cur
$1 = {_private = 0x5a5a5a5a, type = 1515870810, name = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, children = 0x5a5a5a5a, 
  last = 0x5a5a5a5a, parent = 0x5a5a5a5a, next = 0x5a5a5a5a, prev = 0x5a5a5a5a, doc = 0x5a5a5a5a, ns = 0x5a5a5a5a, 
  content = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, properties = 0x5a5a5a5a, nsDef = 0x5a5a5a5a, psvi = 0x5a5a5a5a, 
  line = 23130, extra = 23130}
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-03-18 21:32 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 20:01:57 2014 UTC