|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51615 PHP crash with wrong HTML in SimpleXML
Submitted: 2010-04-20 13:28 UTC Modified: 2010-04-20 18:24 UTC
From: Assigned: felipe (profile)
Status: Closed Package: SimpleXML related
PHP Version: 5.3.2 OS: Windows XP
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2010-04-20 13:28 UTC]
It is possible to load incorrect HTML by DOM and import it to simplexml_import_dom().

Under certain circumstances, PHP crashes after attempt of working with this HTML.

Test script:
$dom = new DOMDocument;
$dom->loadHTML('<span title=""y">x</span>');
$html = simplexml_import_dom($dom);
echo ($html->body->span ? $html->body->span : '');

Expected result:

Actual result:
Thread 0 - System ID 5696
Entry point   php!mainCRTStartup 
Create time   20.4. 13:24:02 
Time spent in user mode   0 Days 0:0:0.437 
Time spent in kernel mode   0 Days 0:0:0.140 

Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!_estrdup+d     00000000     01cbd968     00000000    
php5ts!sxe_get_prop_hash+1b8     011d0c78     011d0a60     00372740    
php5ts!sxe_object_cast+36     011d08b0     00c0fb94     00000003    
php5ts!ZEND_JMPZ_SPEC_VAR_HANDLER+12f     00c0fc0c     00372740     00c0fea8    
php5ts!execute+2fe     01200080     00372700     00000000    
php5ts!zend_execute_scripts+f6     00000008     00372740     00000000    
php5ts!php_execute_script+245     00c0fea8     00372740     00000000    
php!main+bf1     00000002     003726d0     00372cd0    
php!mainCRTStartup+e3     00000000     00000000     7ffdf000    
kernel32!BaseProcessStart+23     00402d78     00000000     00000000    

PHP5TS!_ESTRDUP+DIn php__PID__5476__Date__04_20_2010__Time_01_24_03PM__267__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!_estrdup+d in C:\Program Files\PHP\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000000 on thread 0


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-20 18:24 UTC]
Automatic comment from SVN on behalf of felipe
Log: - Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML)
 [2010-04-20 18:24 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-04-20 18:24 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 01:01:32 2024 UTC