#49632 [Opn->Fbk]: xmlrpc_decode result crashes on value assignment

Tue, 22 Sep 2009 13:32:23 -0700 

 ID:               49632
 Updated by:       j...@php.net
-Summary:          xmlrpc_decode result crushes on value assignment
 Reported By:      m dot kurzyna at crystalpoint dot pl
-Status:           Open
+Status:           Feedback
 Bug Type:         XMLRPC-EPI related
 Operating System: Linux x86_64
 PHP Version:      5.3.0
 New Comment:

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I can not reproduce this. Also make sure you're not loading any zend 
extensions..


Previous Comments:
------------------------------------------------------------------------

[2009-09-22 20:23:20] m dot kurzyna at crystalpoint dot pl

Description:
------------
On decoding value with xmlrpc_decode() it will hang/crash PHP process
when trying to assign result value.

This will work fine:

xmlrpc_decode('...','utf-8');

While this:

$r = xmlrpc_decode('...','utf-8');

Will hang/crash. 

This only happens on x86_64 systems - 32bit works fine.

Relevant part of the backtrace seems to be:

#24 0x00007fffeb297271 in XML_ParseBuffer () from
/usr/lib64/libexpat.so.0
#25 0x00007fffeb4c329a in xml_elem_parse_buf () from
/usr/lib64/libxmlrpc.so.0
#26 0x00007fffeb4c74e9 in XMLRPC_REQUEST_FromXML () from
/usr/lib64/libxmlrpc.so.0
#27 0x00007fffeb6d3523 in decode_request_worker (xml_in=0x7ffff637ee60
"\2", xml_in_len=128, encoding_in=<value optimized out>,
method_name_out=0xffffffffffffffff) at
/usr/src/debug/php-5.3.0/ext/xmlrpc/xmlrpc-epi-php.c:764
#28 0x00007fffeb6d3630 in zif_xmlrpc_decode (ht=<value optimized out>,
return_value=0x86e5e0, return_value_ptr=<value optimized out>,
this_ptr=<value optimized out>, return_value_used=1, tsrm_ls=0x606ce0)
    at /usr/src/debug/php-5.3.0/ext/xmlrpc/xmlrpc-epi-php.c:821


I will provide full trace if needed.


Reproduce code:
---------------
<?php
    $v = xmlrpc_decode(
'<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <string>1</string>
      </value>
     </param>
  </params>
</methodResponse>','utf-8');
    echo "OK\n";
?>


Expected result:
----------------
OK

Actual result:
--------------
*** glibc detected *** /usr/bin/php: free(): invalid next size (fast):
0x00000000008a7540 ***


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49632&edit=1

Reply via email to