php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41346 segmentation fault on domxml_document_parser
Submitted: 2007-05-10 07:53 UTC Modified: 2007-05-14 14:21 UTC
From: wouter at widexs dot nl Assigned:
Status: Closed Package: *XML functions
PHP Version: 4.4.7 OS: Linux
Private report: No CVE-ID: None
 [2007-05-10 07:53 UTC] wouter at widexs dot nl
Description:
------------
PHP 4.4.7 as Apache 2.0.59 DSO module gives a segmentation fault when parsing specific xml code.

I've been unable to locate the exact code as of yet that triggers this. (since multiple clients use the piece of code i found in the backtrace)

A 'bt full' is also available, which might reveal more info for you.
I've disabled any Zend + 3rd-party extensions, thus only PHP-only extensions built-in.

Reproduce code:
---------------
Don't have it,  though it has to be something like this : 

#16 0xb75b8952 in domxml_document_parser (mode=144905360, loadtype=0,
    source=0x8ac77e4 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head profile=\"http://gmpg.org/x"..., data=0x0)
    at /opt/install/widexs_apache_2006_026/php-4.4.7/ext/domxml/php_domxml.c:4006

Which is used in WordPress CMS if I'm correct.

Expected result:
----------------
No segmentation fault :)

Actual result:
--------------
backtrace : 

(gdb) bt
#0  0xb7a21df3 in free () from /lib/libc.so.6
#1  0xb6faf788 in xmlResetError__internal_alias (err=0xbfd65360) at error.c:871
#2  0xb6faeb94 in __xmlRaiseError (schannel=0, channel=0xb75b2ebc <domxml_error_validate>, data=0xbfd651e0, ctx=0xbfd651e0, nod=0x8ae0ee8, domain=23,
    code=504, level=XML_ERR_ERROR, file=0x0, line=-2147483636, str1=0x8b247f8 "ul", str2=0x8b247f8 "ul", str3=0xbfd62690 "()", int1=35, col=1,
    msg=0xb70706a0 "Element %s content does not follow the DTD, expecting %s, got %s\n") at error.c:534
#3  0xb6fda6f8 in xmlErrValidNode (ctxt=0x23, node=0x8ae0ee8, error=XML_DTD_CONTENT_MODEL,
    msg=0xb70706a0 "Element %s content does not follow the DTD, expecting %s, got %s\n", str1=0xb7adc4a4 "", str2=0xbfd63a20 "(li)+", str3=0xbfd62690 "()")
    at valid.c:152
#4  0xb6fe0763 in xmlValidateElementContent (ctxt=0x8a314fc, child=0x8ae0f38, elemDecl=0xbfd62690, warn=1, parent=0x8ae0ee8) at valid.c:5366
#5  0xb6fe15f6 in xmlValidateOneElement__internal_alias (ctxt=0x8a314fc, doc=0x8ae0f38, elem=0x8ae0ee8) at valid.c:6052
#6  0xb705b5d4 in xmlSAX2EndElementNs__internal_alias (ctx=0x8a31490, localname=0x8b06f4a "ul", prefix=0x0, URI=0x8b06ddf "http://www.w3.org/1999/xhtml")
    at SAX2.c:2315
#7  0xb6fbf56e in xmlParseEndTag2 (ctxt=0x8a31490, prefix=0x0, URI=0x8b06ddf "http://www.w3.org/1999/xhtml", line=28, nsNr=0, tlen=0) at parser.c:8207
#8  0xb6fbff9d in xmlParseElement__internal_alias (ctxt=0x8a31490) at parser.c:8542
#9  0xb6fbfcef in xmlParseContent__internal_alias (ctxt=0x8a31490) at parser.c:8361
#10 0xb6fbff56 in xmlParseElement__internal_alias (ctxt=0x8a31490) at parser.c:8521
#11 0xb6fbfcef in xmlParseContent__internal_alias (ctxt=0x8a31490) at parser.c:8361
#12 0xb6fbff56 in xmlParseElement__internal_alias (ctxt=0x8a31490) at parser.c:8521
#13 0xb6fbfcef in xmlParseContent__internal_alias (ctxt=0x8a31490) at parser.c:8361
#14 0xb6fbff56 in xmlParseElement__internal_alias (ctxt=0x8a31490) at parser.c:8521
#15 0xb6fc1133 in xmlParseDocument__internal_alias (ctxt=0x8a31490) at parser.c:9129
#16 0xb75b8952 in domxml_document_parser (mode=144905360, loadtype=0,
    source=0x8ac77e4 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head profile=\"http://gmpg.org/x"..., data=0x0)
    at /opt/install/widexs_apache_2006_026/php-4.4.7/ext/domxml/php_domxml.c:4006
#17 0xb75b8a46 in zif_xmldoc (ht=2, return_value=0x8a31264, this_ptr=0x0, return_value_used=1)
    at /opt/install/widexs_apache_2006_026/php-4.4.7/ext/domxml/php_domxml.c:4042
#18 0xb76d576a in execute (op_array=0x8a9ee10) at /opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend_execute.c:1681
#19 0xb76d551c in execute (op_array=0x8a40960) at /opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend_execute.c:1725
#20 0xb76d551c in execute (op_array=0x8984534) at /opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend_execute.c:1725
#21 0xb76c8fbf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend.c:939
#22 0xb76a4068 in php_execute_script (primary_file=0xbfd6ab70) at /opt/install/widexs_apache_2006_026/php-4.4.7/main/main.c:1757
#23 0xb76d96a7 in php_handler (r=0x8978608) at /opt/install/widexs_apache_2006_026/php-4.4.7/sapi/apache2handler/sapi_apache2.c:581
#24 0x080af902 in ap_run_handler ()
#25 0x080b0071 in ap_invoke_handler ()
#26 0x0809050d in ap_process_request ()
#27 0x0808a977 in ap_process_http_connection ()
#28 0x080bc422 in ap_run_process_connection ()
#29 0x080bc810 in ap_process_connection ()
#30 0x080ae19f in child_main ()
#31 0x080ae329 in make_child ()
#32 0x080ae39e in startup_children ()
#33 0x080ae7a7 in ap_mpm_run ()
#34 0x080b54b9 in main ()
#35 0xb79d0b94 in __libc_start_main () from /lib/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-10 13:22 UTC] rrichards@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

You might want to try a newer libxml2 version as it looks like the crash might be caused there. (cant be sure without a reproduceable case though)
 [2007-05-11 11:52 UTC] wouter at widexs dot nl
I've updated libxml2 (2.6.28), so I'll monitor for a while if the segmentation faults still occur.

However, still weird that 4.4.6 did never give these segmentation faults, and 4.4.7 is compiled against the same libxml2 version (2.6.23, bit old perhaps)
 [2007-05-14 14:21 UTC] wouter at widexs dot nl
Haven't seen a segmentation fault since the upgrade of libxml2.
Still strange it didn't occur with PHP 4.4.6
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC