php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54601 Removing the doctype node segfaults
Submitted: 2011-04-25 13:06 UTC Modified: 2011-08-30 13:48 UTC
From: hannes dot magnusson at gmail dot com Assigned: rrichards
Status: Closed Package: Reproducible crash
PHP Version: 5.3SVN-2011-04-25 (SVN) OS: Linux
Private report: No CVE-ID:
 [2011-04-25 13:06 UTC] hannes dot magnusson at gmail dot com
Description:
------------
ext/dom segfaults during shutdown when removing the doctype node :]

The resulting document appears fine.


Test script:
---------------
--TEST--
Segfault when removing the Doctype node
--SKIPIF--
<?php require_once('skipif.inc'); ?>
--FILE--
<?php
$xml = <<< XML
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE set PUBLIC "-//OASIS//DTD DocBook XML V5.0//EN" "http://www.docbook.org/xml/5.0/dtd/docbook.dtd" [
<!ENTITY foo '<foo>footext</foo>'>
<!ENTITY bar '<bar>bartext</bar>'>
]>
<set>&foo;&bar;</set>
XML;

$doc = new DOMDocument();
$doc->loadXML($xml, LIBXML_NOENT);
$n = $doc->doctype;
$doc->removeChild($n);
var_dump($n);
?>
===DONE===
<?php exit(0); ?>
--EXPECTF--
object(DOMDocumentType)#%d (0) {
}
===DONE===


Actual result:
--------------
0x0000000000481cbf in php_libxml_decrement_node_ptr (object=0x14a1750) at 
/home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:956
956			ret_refcount = --obj_node->refcount;
(gdb) bt
#0  0x0000000000481cbf in php_libxml_decrement_node_ptr (object=0x14a1750)
    at /home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:956
#1  0x000000000047fae5 in php_libxml_clear_object (object=0x14a1750) at 
/home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:150
#2  0x000000000047fb30 in php_libxml_unregister_node (nodep=0x14a1b90) at 
/home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:163
#3  0x000000000047fda0 in php_libxml_node_free_list (node=0x14a1b90) at 
/home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:248
#4  0x000000000047fd57 in php_libxml_node_free_list (node=0x149e190) at 
/home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:239
#5  0x0000000000481f7c in php_libxml_node_free_resource (node=0x149df90) at 
/home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:1024
#6  0x0000000000482060 in php_libxml_node_decrement_resource (object=0x147fb90)
    at /home/bjori/Work/OSS/svn-php/php/php-
src/branches/PHP_5_3/ext/libxml/libxml.c:1059
#7  0x0000000000599b02 in dom_objects_free_storage (object=0x147fb90) at 
/home/bjori/Work/OSS/php/php5.3/ext/dom/php_dom.c:1017
#8  0x00000000009c5c92 in zend_objects_store_del_ref_by_handle_ex (handle=2, 
handlers=0x1233100)
    at /home/bjori/Work/OSS/php/php5.3/Zend/zend_objects_API.c:220
#9  0x00000000009c598b in zend_objects_store_del_ref (zobject=0x147d5a0) at 
/home/bjori/Work/OSS/php/php5.3/Zend/zend_objects_API.c:172
#10 0x00000000009931ef in _zval_dtor_func (zvalue=0x147d5a0, 
__zend_filename=0xf09128 
"/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c", 
    __zend_lineno=445) at 
/home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.c:52
#11 0x0000000000981fe9 in _zval_dtor (zvalue=0x147d5a0, __zend_filename=0xf09128 
"/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c", __zend_lineno=445)
    at /home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.h:35
#12 0x000000000098341a in _zval_ptr_dtor (zval_ptr=0x147fde0, 
__zend_filename=0xf0a230 
"/home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.c", 
    __zend_lineno=189) at 
/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c:445
#13 0x0000000000993668 in _zval_ptr_dtor_wrapper (zval_ptr=0x147fde0) at 
/home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.c:189
#14 0x00000000009a6ad7 in zend_hash_apply_deleter (ht=0x12395c8, p=0x147fdc8) at 
/home/bjori/Work/OSS/php/php5.3/Zend/zend_hash.c:612
#15 0x00000000009a717e in zend_hash_reverse_apply (ht=0x12395c8, 
apply_func=0x9829e0 <zval_call_destructor>)
    at /home/bjori/Work/OSS/php/php5.3/Zend/zend_hash.c:761
#16 0x0000000000982a94 in shutdown_destructors () at 
/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c:226
#17 0x000000000099521b in zend_call_destructors () at 
/home/bjori/Work/OSS/php/php5.3/Zend/zend.c:874
#18 0x000000000091414a in php_request_shutdown (dummy=0x0) at 
/home/bjori/Work/OSS/php/php5.3/main/main.c:1591
#19 0x0000000000a84304 in main (argc=2, argv=0x7fffffffe198) at 
/home/bjori/Work/OSS/php/php5.3/sapi/cli/php_cli.c:1374
(gdb) 


Patches

v1.patch (last revision 2011-04-25 21:13 UTC) by hannes dot magnusson at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-25 13:07 UTC] bjori@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: rrichards
 [2011-04-25 13:07 UTC] bjori@php.net
Another one from phpdoc :)
 [2011-04-25 23:14 UTC] bjori@php.net
The attached patch does seem to fix the issue and makes valgrind stop bleeding..

If it is however proper, I don't know :)
 [2011-05-29 13:39 UTC] bjori@php.net
Automatic comment from SVN on behalf of bjori
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311544
Log: Fixed bug #54601 (Removing the doctype node segfaults)
 [2011-06-02 20:06 UTC] iliaa@php.net
-Status: Assigned +Status: Feedback
 [2011-06-02 20:06 UTC] iliaa@php.net
With latest SVN on Linux I am unable to reproduce the crash. Can you still 
reproduce it?
 [2011-06-02 20:38 UTC] hannes dot magnusson at gmail dot com
-Status: Feedback +Status: Assigned
 [2011-06-02 20:38 UTC] hannes dot magnusson at gmail dot com
I've already committed the patch, but Richard believed there could maybe be other issues - hence leaving the report open until he can verify the fix properly.
 [2011-08-30 13:48 UTC] bjori@php.net
-Status: Assigned +Status: Closed
 [2011-08-30 13:48 UTC] bjori@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

think its safe to close this one now :)
 [2012-04-18 09:50 UTC] laruence@php.net
Automatic comment on behalf of bjori
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca9033995713108d607c92f7db7ede3330fa996b
Log: Fixed bug #54601 (Removing the doctype node segfaults)
 [2012-07-24 23:41 UTC] rasmus@php.net
Automatic comment on behalf of bjori
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca9033995713108d607c92f7db7ede3330fa996b
Log: Fixed bug #54601 (Removing the doctype node segfaults)
 [2013-11-17 09:38 UTC] laruence@php.net
Automatic comment on behalf of bjori
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca9033995713108d607c92f7db7ede3330fa996b
Log: Fixed bug #54601 (Removing the doctype node segfaults)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 13:02:46 2014 UTC