ID: 42728
User updated by: nyos at nyos dot homelinux dot net
Reported By: nyos at nyos dot homelinux dot net
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: Kubuntu linux 7.04 Feisty Fawn
PHP Version: 5.2.4
New Comment:
Thanks for your fast reply.
I've compiled 5.2.4 with ./configure --enable-debug --with-tidy
command line switches. Here's the backtrace.
Core was generated by
`/home/nyos/webmasters/tidybug/src/php-5.2.4/sapi/cli/php ./tidy.php'.
Program terminated with signal 11, Segmentation fault.
#0 0xb7f7e3d8 in tidyGetChild () from /usr/lib/libtidy-0.99.so.0
(gdb) bt
#0 0xb7f7e3d8 in tidyGetChild () from /usr/lib/libtidy-0.99.so.0
#1 0x082b5f98 in tidy_add_default_properties (obj=0x854bda0,
type=is_node)
at /home/nyos/webmasters/tidybug/src/php-5.2.4/ext/tidy/tidy.c:811
#2 0x082b64c8 in php_tidy_create_node (ht=1, return_value=0x854b4b0,
return_value_ptr=0x0,
this_ptr=0x0, return_value_used=1, node=is_body_node)
at /home/nyos/webmasters/tidybug/src/php-5.2.4/ext/tidy/tidy.c:902
#3 0x082b8e09 in zif_tidy_get_body (ht=1, return_value=0x854b4b0,
return_value_ptr=0x0,
this_ptr=0x0, return_value_used=1)
at /home/nyos/webmasters/tidybug/src/php-5.2.4/ext/tidy/tidy.c:1548
#4 0x083469a1 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfb3c5e0)
at
/home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:200
#5 0x0834c257 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbfb3c5e0)
at
/home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:1681
#6 0x083464f1 in execute (op_array=0x854ade0)
at
/home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:92
#7 0x08321b41 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend.c:1134
#8 0x082cdc05 in php_execute_script (primary_file=0xbfb3e958)
at /home/nyos/webmasters/tidybug/src/php-5.2.4/main/main.c:1982
#9 0x0839b5a1 in main (argc=2, argv=0xbfb3eac4)
at /home/nyos/webmasters/tidybug/src/php-5.2.4/sapi/cli/php_cli.c:1140
(gdb) frame 6
#6 0x083464f1 in execute (op_array=0x854ade0)
at
/home/nyos/webmasters/tidybug/src/php-5.2.4/Zend/zend_vm_execute.h:92
92 if (EX(opline)->handler(&execute_data
TSRMLS_CC) > 0) {
Previous Comments:
------------------------------------------------------------------------
[2007-09-21 16:44:45] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32
Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
------------------------------------------------------------------------
[2007-09-21 14:50:38] nyos at nyos dot homelinux dot net
Description:
------------
Tidy (libtidy, php-tidy) fails on a (syntactically) incorrect page.
This mustn't happen of course.
A segmentation fault might be caused by a buffer overrun, or a
wandering pointer, which might be a security issue as well. (However,
breaking into a bot using tidy through this bug is very unlikely.)
Tidy's purpose is to correct incorrect pages, so it needs to be
error-proof.
versions: ubuntu feisty default install + kubuntu-desktop + up-to date
system, however, I'm not sure even if it's a bug in php or in tidy
Package: tidy Version: 20051018-1
Package: libtidy-0.99-0 Version: 20051018-1
Package: php5-tidy Version: 5.2.1-0ubuntu1.4
(this is the newest version in package, but I didn't see anything about
this bug, so possibly it's still a bug)
Reproduce code:
---------------
<?
/* // this won't work either
$file_data='
<html>
<frameset >
</frameset>
</html>
';
*/
$file_data='
<frameset >
</frameset>
';
$t=tidy_parse_string(trim($file_data));
$t->cleanRepair();
echo "following line segfaults..\n";
$body=tidy_get_body($t);
echo "..or works?\n";
?>
Expected result:
----------------
$body=null, warning, or anything else..
Actual result:
--------------
[EMAIL PROTECTED]:~/webmasters/tidybug$ ./tidy.php
following line segfaults..
Segmentation fault (core dumped)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42728&edit=1
