PHP :: Bug #42858 :: Xpath buffer overflow

Bug #42858	Xpath buffer overflow
Submitted:	2007-10-05 01:05 UTC	Modified:	2007-10-06 00:06 UTC
From:	felipensp at gmail dot com	Assigned:
Status:	Not a bug	Package:	SimpleXML related
PHP Version:	5.2.4	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-10-05 01:05 UTC] felipensp at gmail dot com

Description:
------------
Xpath cause buffer overflow when function not found in predicate.

Reproduce code:
---------------
<?php

$source = file_get_contents('http://visualjquery.com/1.1.2.html');
$xml = new SimpleXMLElement($source);
$entries = $xml->xpath('//h1[.=foo()]');

Expected result:
----------------
Only messages errors.

Actual result:
--------------
felipe@bl4ck:~/public_html$ php test.php 

Warning: SimpleXMLElement::xpath(): xmlXPathCompOpEval: function foo not found in /home/felipe/public_html/test.php on line 5

Warning: SimpleXMLElement::xpath(): Unregistered function in /home/felipe/public_html/test.php on line 5

Warning: SimpleXMLElement::xpath(): xmlXPathEval: 2 object left on the stack in /home/felipe/public_html/test.php on line 5
*** glibc detected *** php: corrupted double-linked list: 0x084afa90 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d2db2a]
/lib/tls/i686/cmov/libc.so.6[0xb7d2f50f]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d32e30]
/usr/lib/libxml2.so.2(xmlDictFree+0xec)[0xb7eec17c]
/usr/lib/libxml2.so.2(xmlFreeDoc+0x1b9)[0xb7e4d8f9]
php(php_libxml_decrement_doc_ref+0x46)[0x808b3f6]
php[0x8161faa]
php(zend_objects_store_del_ref_by_handle+0x179)[0x828fce9]
php(zend_objects_store_del_ref+0x18)[0x828fd28]
php(_zval_ptr_dtor+0x4f)[0x8267fef]
php[0x827db38]
php(zend_hash_reverse_apply+0x57)[0x827dc27]
php(shutdown_destructors+0x50)[0x8267f50]
php(zend_call_destructors+0x30)[0x8274400]
php(php_request_shutdown+0x268)[0x8233c18]
php(main+0x36d)[0x82ebfed]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7cddebc]
php(xmlTextReaderConstName+0x145)[0x808a611]
======= Memory map: ========
08048000-0839c000 r-xp 00000000 03:01 5360941    /usr/local/bin/php
0839c000-083b9000 rw-p 00354000 03:01 5360941    /usr/local/bin/php
083b9000-08618000 rw-p 083b9000 00:00 0          [heap]
b7a00000-b7a21000 rw-p b7a00000 00:00 0 
b7a21000-b7b00000 ---p b7a21000 00:00 0 
b7b97000-b7c18000 rw-p b7b97000 00:00 0 
b7c18000-b7c1f000 r--s 00000000 03:01 5194177    /usr/lib/gconv/gconv-modules.cache
b7c1f000-b7c5a000 r--p 00000000 03:01 5242899    /usr/lib/locale/pt_BR.utf8/LC_CTYPE
b7c7b000-b7c86000 r-xp 00000000 03:01 2261088    /lib/libgcc_s.so.1
b7c86000-b7c87000 rw-p 0000a000 03:01 2261088    /lib/libgcc_s.so.1
b7c87000-b7c8b000 r-xp 00000000 03:01 2294771    /lib/tls/i686/cmov/libnss_dns-2.5.so
b7c8b000-b7c8d000 rw-p 00003000 03:01 2294771    /lib/tls/i686/cmov/libnss_dns-2.5.so
b7c8d000-b7c96000 r-xp 00000000 03:01 2294772    /lib/tls/i686/cmov/libnss_files-2.5.so
b7c96000-b7c98000 rw-p 00008000 03:01 2294772    /lib/tls/i686/cmov/libnss_files-2.5.so
b7c98000-b7c9a000 rw-p b7c98000 00:00 0 
b7c9b000-b7c9c000 rw-p b7c9b000 00:00 0 
b7c9c000-b7caf000 r-xp 00000000 03:01 5178599    /usr/lib/libz.so.1.2.3
b7caf000-b7cb0000 rw-p 00012000 03:01 5178599    /usr/lib/libz.so.1.2.3
b7cb0000-b7cc3000 r-xp 00000000 03:01 2294778    /lib/tls/i686/cmov/libpthread-2.5.so
b7cc3000-b7cc5000 rw-p 00013000 03:01 2294778    /lib/tls/i686/cmov/libpthread-2.5.so
b7cc5000-b7cc8000 rw-p b7cc5000 00:00 0 
b7cc8000-b7e03000 r-xp 00000000 03:01 2294471    /lib/tls/i686/cmov/libc-2.5.so
b7e03000-b7e04000 r--p 0013b000 03:01 2294471    /lib/tls/i686/cmov/libc-2.5.so
b7e04000-b7e06000 rw-p 0013c000 03:01 2294471    /lib/tls/i686/cmov/libc-2.5.so
b7e06000-b7e09000 rw-p b7e06000 00:00 0 
b7e09000-b7f20000 r-xp 00000000 03:01 5179128    /usr/lib/libxml2.so.2.6.27
b7f20000-b7f26000 rw-p 00116000 03:01 5179128    /usr/lib/libxml2.so.2.6.27
b7f26000-b7f39000 r-xp 00000000 03:01 2294480    /lib/tls/i686/cmov/libnsl-2.5.so
b7f39000-b7f3b000 rw-p 00012000 03:01 2294480    /lib/tls/i686/cmov/libnsl-2.5.so
b7f3b000-b7f3d000 rw-p b7f3b000 00:00 0 
b7f3d000-b7f3f000 r-xp 00000000 03:01 2294474    /lib/tls/i686/cmov/libdl-2.5.so
b7f3f000-b7f41000 rw-p 00001000 03:01 2294474    /lib/tls/i686/cmov/libdl-2.5.so
b7f41000-b7f66000 r-xp 00000000 03:01 2294476    /lib/tls/i686/cmov/libm-2.5.so
b7f66000-b7f68000 rw-p 00024000 03:01 2294476    /lib/tls/i686/cmov/libm-2.5.so
b7f68000-b7f77000 r-xp 00000000 03:01 2294779    /lib/tls/i686/cmov/libresolv-2.5.so
b7f77000-b7f79000 rw-p 0000f000 03:01 2294779    /lib/tls/i686/cmov/libresolv-2.5.so
b7f79000-b7f7c000 rw-p b7f79000 00:00 0 
b7f7c000-b7f83000 r-xp 00000000 03:01 2294780    /lib/tls/i686/cmov/librt-2.5.so
b7f83000-b7f85000 rw-p 00006000 03:01 2294780    /lib/tls/i686/cmov/librt-2.5.so
b7f85000-b7f8a000 r-xp 00000Cancelado (core dumped)


----------------------------------------

felipe@bl4ck:~/public_html$ gdb -q php
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r test.php 
Starting program: /usr/local/bin/php test.php
[Thread debugging using libthread_db enabled]
[New Thread -1212278368 (LWP 15257)]

Warning: SimpleXMLElement::xpath(): xmlXPathCompOpEval: function foo not found in /home/felipe/public_html/test.php on line 5

Warning: SimpleXMLElement::xpath(): Unregistered function in /home/felipe/public_html/test.php on line 5

Warning: SimpleXMLElement::xpath(): xmlXPathEval: 2 object left on the stack in /home/felipe/public_html/test.php on line 5
*** glibc detected *** /usr/local/bin/php: corrupted double-linked list: 0x084afa90 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7c73b2a]
/lib/tls/i686/cmov/libc.so.6[0xb7c7550f]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7c78e30]
/usr/lib/libxml2.so.2(xmlDictFree+0xec)[0xb7e3217c]
/usr/lib/libxml2.so.2(xmlFreeDoc+0x1b9)[0xb7d938f9]
/usr/local/bin/php(php_libxml_decrement_doc_ref+0x46)[0x808b3f6]
/usr/local/bin/php[0x8161faa]
/usr/local/bin/php(zend_objects_store_del_ref_by_handle+0x179)[0x828fce9]
/usr/local/bin/php(zend_objects_store_del_ref+0x18)[0x828fd28]
/usr/local/bin/php(_zval_ptr_dtor+0x4f)[0x8267fef]
/usr/local/bin/php[0x827db38]
/usr/local/bin/php(zend_hash_reverse_apply+0x57)[0x827dc27]
/usr/local/bin/php(shutdown_destructors+0x50)[0x8267f50]
/usr/local/bin/php(zend_call_destructors+0x30)[0x8274400]
/usr/local/bin/php(php_request_shutdown+0x268)[0x8233c18]
/usr/local/bin/php(main+0x36d)[0x82ebfed]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7c23ebc]
/usr/local/bin/php(xmlTextReaderConstName+0x145)[0x808a611]
======= Memory map: ========
08048000-0839c000 r-xp 00000000 03:01 5360941    /usr/local/bin/php
0839c000-083b9000 rw-p 00354000 03:01 5360941    /usr/local/bin/php
083b9000-08618000 rw-p 083b9000 00:00 0          [heap]
b7900000-b7921000 rw-p b7900000 00:00 0 
b7921000-b7a00000 ---p b7921000 00:00 0 
b7add000-b7b5e000 rw-p b7add000 00:00 0 
b7b5e000-b7b65000 r--s 00000000 03:01 5194177    /usr/lib/gconv/gconv-modules.cache
b7b65000-b7ba0000 r--p 00000000 03:01 5242899    /usr/lib/locale/pt_BR.utf8/LC_CTYPE
b7bc1000-b7bcc000 r-xp 00000000 03:01 2261088    /lib/libgcc_s.so.1
b7bcc000-b7bcd000 rw-p 0000a000 03:01 2261088    /lib/libgcc_s.so.1
b7bcd000-b7bd1000 r-xp 00000000 03:01 2294771    /lib/tls/i686/cmov/libnss_dns-2.5.so
b7bd1000-b7bd3000 rw-p 00003000 03:01 2294771    /lib/tls/i686/cmov/libnss_dns-2.5.so
b7bd3000-b7bdc000 r-xp 00000000 03:01 2294772    /lib/tls/i686/cmov/libnss_files-2.5.so
b7bdc000-b7bde000 rw-p 00008000 03:01 2294772    /lib/tls/i686/cmov/libnss_files-2.5.so
b7bde000-b7be0000 rw-p b7bde000 00:00 0 
b7be1000-b7be2000 rw-p b7be1000 00:00 0 
b7be2000-b7bf5000 r-xp 00000000 03:01 5178599    /usr/lib/libz.so.1.2.3
b7bf5000-b7bf6000 rw-p 00012000 03:01 5178599    /usr/lib/libz.so.1.2.3
b7bf6000-b7c09000 r-xp 00000000 03:01 2294778    /lib/tls/i686/cmov/libpthread-2.5.so
b7c09000-b7c0b000 rw-p 00013000 03:01 2294778    /lib/tls/i686/cmov/libpthread-2.5.so
b7c0b000-b7c0e000 rw-p b7c0b000 00:00 0 
b7c0e000-b7d49000 r-xp 00000000 03:01 2294471    /lib/tls/i686/cmov/libc-2.5.so
b7d49000-b7d4a000 r--p 0013b000 03:01 2294471    /lib/tls/i686/cmov/libc-2.5.so
b7d4a000-b7d4c000 rw-p 0013c000 03:01 2294471    /lib/tls/i686/cmov/libc-2.5.so
b7d4c000-b7d4f000 rw-p b7d4c000 00:00 0 
b7d4f000-b7e66000 r-xp 00000000 03:01 5179128    /usr/lib/libxml2.so.2.6.27
b7e66000-b7e6c000 rw-p 00116000 03:01 5179128    /usr/lib/libxml2.so.2.6.27
b7e6c000-b7e7f000 r-xp 00000000 03:01 2294480    /lib/tls/i686/cmov/libnsl-2.5.so
b7e7f000-b7e81000 rw-p 00012000 03:01 2294480    /lib/tls/i686/cmov/libnsl-2.5.so
b7e81000-b7e83000 rw-p b7e81000 00:00 0 
b7e83000-b7e85000 r-xp 00000000 03:01 2294474    /lib/tls/i686/cmov/libdl-2.5.so
b7e85000-b7e87000 rw-p 00001000 03:01 2294474    /lib/tls/i686/cmov/libdl-2.5.so
b7e87000-b7eac000 r-xp 00000000 03:01 2294476    /lib/tls/i686/cmov/libm-2.5.so
b7eac000-b7eae000 rw-p 00024000 03:01 2294476    /lib/tls/i686/cmov/libm-2.5.so
b7eae000-b7ebd000 r-xp 00000000 03:01 2294779    /lib/tls/i686/cmov/libresolv-2.5.so
b7ebd000-b7ebf000 rw-p 0000f000 03:01 2294779    /lib/tls/i686/cmov/libresolv-2.5.so
b7ebf000-b7ec2000 rw-p b7ebf000 00:00 0 
b7ec2000-b7ec9000 r-xp 00000000 03:01 2294780    /lib/tls/i686/cmov/librt-2.5.so
b7ec9000-b7ecb000 rw-p 00006000 03:01 2294780    /lib/tls/i686/cmov/librt-2.5.so
b7ecb000-b7ed0000 r-xp 00000000 03:01 2294473    /lib/tls/i686/cmov/libcrypt-2.5.so
b7ed0000-b7ed2000 rw-p 00004000 03:01 2294473    /lib/tls/i686/cmov/libcrypt-2.5.so
b7ed2000-b7ef9000 rw-p b7ed2000 00:00 0 
b7f08000-b7f0a000 rw-p b7f08000 00:00 0 
b7f0a000-b7f23000 r-xp 00000000 
Program received signal SIGABRT, Aborted.
[Switching to Thread -1212278368 (LWP 15257)]
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7c37df0 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7c39641 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7c6d9bb in ?? () from /lib/tls/i686/cmov/libc.so.6
#4  0x00000005 in ?? ()
#5  0xbfa9be0c in ?? ()
#6  0x00000400 in ?? ()
#7  0x00000002 in ?? ()
#8  0x08277c21 in zend_register_functions (scope=0x828fce9, functions=0x8161faa, function_table=0xbfa9e9a7, type=-1210902870)
    at /home/felipe/php-5.2.4/Zend/zend_API.c:1705
#9  0xb7c73b2a in ?? () from /lib/tls/i686/cmov/libc.so.6
#10 0x00000002 in ?? ()
#11 0xb7d347a8 in ?? () from /lib/tls/i686/cmov/libc.so.6
#12 0xbfa9e9a7 in ?? ()
#13 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6
#14 0xbfa9c36f in ?? ()
#15 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6
#16 0xbfa9c36f in ?? ()
#17 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6
#18 0xb7d4c120 in ?? () from /lib/tls/i686/cmov/libc.so.6
#19 0x00000021 in ?? ()
#20 0xb7d4c138 in ?? () from /lib/tls/i686/cmov/libc.so.6
#21 0xb7d4c144 in ?? () from /lib/tls/i686/cmov/libc.so.6
---Type <return> to continue, or q <return> to quit---
#22 0x08603358 in ?? ()
#23 0xb7d4c150 in ?? () from /lib/tls/i686/cmov/libc.so.6
#24 0x00000070 in ?? ()
#25 0x00000002 in ?? ()
#26 0xb7c74fd1 in ?? () from /lib/tls/i686/cmov/libc.so.6
#27 0x30000040 in ?? ()
#28 0x66613438 in ?? ()
#29 0x00303961 in ?? ()
#30 0xb7d4aff4 in ?? () from /lib/tls/i686/cmov/libc.so.6
#31 0x084c71a8 in ?? ()
#32 0x084e71b0 in ?? ()
#33 0xbfa9c400 in ?? ()
#34 0xb7c7550f in ?? () from /lib/tls/i686/cmov/libc.so.6
#35 0x00000040 in ?? ()
#36 0xbfa9c3c8 in ?? ()
#37 0xb7d3481c in ?? () from /lib/tls/i686/cmov/libc.so.6
#38 0xb7d4c120 in ?? () from /lib/tls/i686/cmov/libc.so.6
#39 0x086018a0 in ?? ()
#40 0x086018d8 in ?? ()
#41 0x00000000 in ?? ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-10-05 11:50 UTC] rrichards@php.net

Try a newer version of libxml2 (2.6.28+). I can't reproduce this and believe this isn't a PHP issue but rather due to a bug that existed in libxml2 2.6.27.

[2007-10-05 23:18 UTC] felipensp at gmail dot com

I tested with libxml2-2.6.30 and did not have bug.

[2007-10-06 00:06 UTC] jani@php.net

Obviously a libxml bug -> not PHP bug -> bogus.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 13:01:30 2024 UTC