#41346 [NEW]: segmentation fault on domxml_document_parser

wouter at widexs dot nl Thu, 10 May 2007 00:53:17 -0700

From:             wouter at widexs dot nl
Operating system: Linux
PHP version:      4.4.7
PHP Bug Type:     *XML functions
Bug description:  segmentation fault on domxml_document_parser


Description:
------------
PHP 4.4.7 as Apache 2.0.59 DSO module gives a segmentation fault when
parsing specific xml code.

I've been unable to locate the exact code as of yet that triggers this.
(since multiple clients use the piece of code i found in the backtrace)

A 'bt full' is also available, which might reveal more info for you.
I've disabled any Zend + 3rd-party extensions, thus only PHP-only
extensions built-in.

Reproduce code:
---------------
Don't have it,  though it has to be something like this : 

#16 0xb75b8952 in domxml_document_parser (mode=144905360, loadtype=0,
    source=0x8ac77e4 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
Transitional//EN\"
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\";>\r\n<html
xmlns=\"http://www.w3.org/1999/xhtml\";>\r\n<head
profile=\"http://gmpg.org/x";..., data=0x0)
    at
/opt/install/widexs_apache_2006_026/php-4.4.7/ext/domxml/php_domxml.c:4006

Which is used in WordPress CMS if I'm correct.

Expected result:
----------------
No segmentation fault :)

Actual result:
--------------
backtrace : 

(gdb) bt
#0  0xb7a21df3 in free () from /lib/libc.so.6
#1  0xb6faf788 in xmlResetError__internal_alias (err=0xbfd65360) at
error.c:871
#2  0xb6faeb94 in __xmlRaiseError (schannel=0, channel=0xb75b2ebc
<domxml_error_validate>, data=0xbfd651e0, ctx=0xbfd651e0, nod=0x8ae0ee8,
domain=23,
    code=504, level=XML_ERR_ERROR, file=0x0, line=-2147483636,
str1=0x8b247f8 "ul", str2=0x8b247f8 "ul", str3=0xbfd62690 "()", int1=35,
col=1,
    msg=0xb70706a0 "Element %s content does not follow the DTD, expecting
%s, got %s\n") at error.c:534
#3  0xb6fda6f8 in xmlErrValidNode (ctxt=0x23, node=0x8ae0ee8,
error=XML_DTD_CONTENT_MODEL,
    msg=0xb70706a0 "Element %s content does not follow the DTD, expecting
%s, got %s\n", str1=0xb7adc4a4 "", str2=0xbfd63a20 "(li)+", str3=0xbfd62690
"()")
    at valid.c:152
#4  0xb6fe0763 in xmlValidateElementContent (ctxt=0x8a314fc,
child=0x8ae0f38, elemDecl=0xbfd62690, warn=1, parent=0x8ae0ee8) at
valid.c:5366
#5  0xb6fe15f6 in xmlValidateOneElement__internal_alias (ctxt=0x8a314fc,
doc=0x8ae0f38, elem=0x8ae0ee8) at valid.c:6052
#6  0xb705b5d4 in xmlSAX2EndElementNs__internal_alias (ctx=0x8a31490,
localname=0x8b06f4a "ul", prefix=0x0, URI=0x8b06ddf
"http://www.w3.org/1999/xhtml";)
    at SAX2.c:2315
#7  0xb6fbf56e in xmlParseEndTag2 (ctxt=0x8a31490, prefix=0x0,
URI=0x8b06ddf "http://www.w3.org/1999/xhtml";, line=28, nsNr=0, tlen=0) at
parser.c:8207
#8  0xb6fbff9d in xmlParseElement__internal_alias (ctxt=0x8a31490) at
parser.c:8542
#9  0xb6fbfcef in xmlParseContent__internal_alias (ctxt=0x8a31490) at
parser.c:8361
#10 0xb6fbff56 in xmlParseElement__internal_alias (ctxt=0x8a31490) at
parser.c:8521
#11 0xb6fbfcef in xmlParseContent__internal_alias (ctxt=0x8a31490) at
parser.c:8361
#12 0xb6fbff56 in xmlParseElement__internal_alias (ctxt=0x8a31490) at
parser.c:8521
#13 0xb6fbfcef in xmlParseContent__internal_alias (ctxt=0x8a31490) at
parser.c:8361
#14 0xb6fbff56 in xmlParseElement__internal_alias (ctxt=0x8a31490) at
parser.c:8521
#15 0xb6fc1133 in xmlParseDocument__internal_alias (ctxt=0x8a31490) at
parser.c:9129
#16 0xb75b8952 in domxml_document_parser (mode=144905360, loadtype=0,
    source=0x8ac77e4 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
Transitional//EN\"
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\";>\r\n<html
xmlns=\"http://www.w3.org/1999/xhtml\";>\r\n<head
profile=\"http://gmpg.org/x";..., data=0x0)
    at
/opt/install/widexs_apache_2006_026/php-4.4.7/ext/domxml/php_domxml.c:4006
#17 0xb75b8a46 in zif_xmldoc (ht=2, return_value=0x8a31264, this_ptr=0x0,
return_value_used=1)
    at
/opt/install/widexs_apache_2006_026/php-4.4.7/ext/domxml/php_domxml.c:4042
#18 0xb76d576a in execute (op_array=0x8a9ee10) at
/opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend_execute.c:1681
#19 0xb76d551c in execute (op_array=0x8a40960) at
/opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend_execute.c:1725
#20 0xb76d551c in execute (op_array=0x8984534) at
/opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend_execute.c:1725
#21 0xb76c8fbf in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /opt/install/widexs_apache_2006_026/php-4.4.7/Zend/zend.c:939
#22 0xb76a4068 in php_execute_script (primary_file=0xbfd6ab70) at
/opt/install/widexs_apache_2006_026/php-4.4.7/main/main.c:1757
#23 0xb76d96a7 in php_handler (r=0x8978608) at
/opt/install/widexs_apache_2006_026/php-4.4.7/sapi/apache2handler/sapi_apache2.c:581
#24 0x080af902 in ap_run_handler ()
#25 0x080b0071 in ap_invoke_handler ()
#26 0x0809050d in ap_process_request ()
#27 0x0808a977 in ap_process_http_connection ()
#28 0x080bc422 in ap_run_process_connection ()
#29 0x080bc810 in ap_process_connection ()
#30 0x080ae19f in child_main ()
#31 0x080ae329 in make_child ()
#32 0x080ae39e in startup_children ()
#33 0x080ae7a7 in ap_mpm_run ()
#34 0x080b54b9 in main ()
#35 0xb79d0b94 in __libc_start_main () from /lib/libc.so.6

-- 
Edit bug report at http://bugs.php.net/?id=41346&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=41346&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=41346&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=41346&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=41346&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=41346&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=41346&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=41346&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=41346&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=41346&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=41346&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=41346&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=41346&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=41346&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=41346&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=41346&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=41346&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=41346&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=41346&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=41346&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=41346&r=mysqlcfg

#41346 [NEW]: segmentation fault on domxml_document_parser

Reply via email to