php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59492 Simple HTML IMG and A tag causes Pecl to crash
Submitted: 2010-11-03 22:08 UTC Modified: 2010-11-05 18:07 UTC
From: netslayer007 at gmail dot com Assigned:
Status: Closed Package: tidy (PECL)
PHP Version: 5.2.8 OS:
Private report: No CVE-ID: None
 [2010-11-03 22:08 UTC] netslayer007 at gmail dot com
Description:
------------
Segmentation Fault with a simple img and anchor tag "<img> <a></a>".

[Wed Nov 03 19:43:31 2010] [notice] child pid 5757 exit signal Segmentation fault (11)

Reproduce code:
---------------
<?php  tidy_repair_string("<img> <a></a>", null); ?>

Expected result:
----------------
It doesnt crash

Actual result:
--------------
Seg Fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-04 16:03 UTC] netslayer007 at gmail dot com
Tags with spaces is causing a seg fault:
"<a> <b>" = Seg Fault
"<i> <b>" = Seg Fault
"<i> <img>" = Seg Fault

Tags next to each other without spaces are fine:
"<a><a>" = OK
"<a><b>" = OK
"<b><a>" = OK
"<a><i>" = OK
"<i><b>" = OK
"<i><img>" = OK
"<a><img>" = OK

Some tags with spaces work fine:
"<i> <i>" = OK

Original string I found this bug in:
<img src="http://" style="margin-right: 3px; display: inline; vertical-align: middle;" height="20" width="20"> <a href="/services/alerts/">Text</a>
 [2010-11-04 19:26 UTC] netslayer007 at gmail dot com
Here's the end of the stack dump

Reading symbols from /home/c/cvs/cf/ext/lib/php/extensions/tidy.so...done.
Loaded symbols for /home/c/cvs/cf/ext/lib/php/extensions/tidy.so
Reading symbols from /home/c/cvs/cf/ext/lib/libtidy-0.99.so.0...done.
Loaded symbols for /home/c/cvs/cf/ext/lib/libtidy-0.99.so.0
Reading symbols from /lib64/libnss_files.so.2...done.
Loaded symbols for /lib64/libnss_files.so.2
#0  0x0000002a9c89fc9c in TextEndsWithNewline () from /home/c/cvs/cf/ext/lib/libtidy-0.99.so.0
 [2010-11-04 19:32 UTC] netslayer007 at gmail dot com
Adding duplicate bug reported w/ patch (Subject: [ tidy-Bugs-1694875 ] Accessing offset -1 of the
buffer in TextEndsWithNewline - msg#00038
List: web.html-tidy.tracker)

http://osdir.com/ml/web.html-tidy.tracker/2007-04/msg00038.html
 [2010-11-05 18:07 UTC] netslayer007 at gmail dot com
This was was no longer reproducible once I updated to the latest CVS libtidy from sourceforge so I'm going to close it. Anyone else who cannot upgrade can try the patch attached to the bug report URL that is in the comments.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Jan 24 01:04:10 2022 UTC