php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64776 The XSLT extension is not thread safe.
Submitted: 2013-05-05 10:48 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: slangley at google dot com Assigned:
Status: Closed Package: XSLT related
PHP Version: 5.4.14 OS: N/A
Private report: No CVE-ID:
 [2013-05-05 10:48 UTC] slangley at google dot com
Description:
------------
ThreadSanitizer has detected a data race in php_xsl.c.

The function xsltSetGenericErrorFunc is not thread safe, yet it can be accessed 
concurrently by separate threads from the request INIT & SHUTDOWN handlers in the 
xslt extension.


/* {{{ PHP_RINIT_FUNCTION
 */
PHP_RINIT_FUNCTION(xsl)
{
	xsltSetGenericErrorFunc(NULL, php_libxml_error_handler);
	return SUCCESS;
}
/* }}} */

/* {{{ PHP_RSHUTDOWN_FUNCTION
 */
PHP_RSHUTDOWN_FUNCTION(xsl)
{
	xsltSetGenericErrorFunc(NULL, NULL);
	return SUCCESS;
}

xsltSetGenericErrorFunc uses two global variables to record state, with no 
protection against concurrent access.


from xsltutils.c

xmlGenericErrorFunc xsltGenericError = xsltGenericErrorDefaultFunc;
void *xsltGenericErrorContext = NULL;


/**
 * xsltSetGenericErrorFunc:
 * @ctx:  the new error handling context
 * @handler:  the new handler function
 *
 * Function to reset the handler and the error context for out of
 * context error messages.
 * This simply means that @handler will be called for subsequent
 * error messages while not parsing nor validating. And @ctx will
 * be passed as first argument to @handler
 * One can simply force messages to be emitted to another FILE * than
 * stderr by setting @ctx to this file handle and @handler to NULL.
 */
void
xsltSetGenericErrorFunc(void *ctx, xmlGenericErrorFunc handler) {
    xsltGenericErrorContext = ctx;
    if (handler != NULL)
	xsltGenericError = handler;
    else
	xsltGenericError = xsltGenericErrorDefaultFunc;
}

Calling xsltSetGenericErrorFunc from the module initializer should solve this 
problem.

Test script:
---------------
build PHP with --enable-maintainer-zts.

Execute concurrent requests.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-02 14:01 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7cd702640de648a4fd5d49234b9ce4704c007f5d
Log: Fix Bug #64776 	The XSLT extension is not thread safe.
 [2013-12-02 14:01 UTC] mike@php.net
-Status: Open +Status: Closed
 [2013-12-02 16:51 UTC] ab@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7cd702640de648a4fd5d49234b9ce4704c007f5d
Log: Fix Bug #64776 	The XSLT extension is not thread safe.
 [2014-01-17 21:59 UTC] bwoebi@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7cd702640de648a4fd5d49234b9ce4704c007f5d
Log: Fix Bug #64776 	The XSLT extension is not thread safe.
 [2014-02-06 08:43 UTC] bwoebi@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7cd702640de648a4fd5d49234b9ce4704c007f5d
Log: Fix Bug #64776 	The XSLT extension is not thread safe.
 [2016-07-20 11:41 UTC] davey@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7cd702640de648a4fd5d49234b9ce4704c007f5d
Log: Fix Bug #64776 	The XSLT extension is not thread safe.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 21:01:35 2017 UTC