from:"anders at kaseorg dot com"

#34232 [NEW]: Crash (double free or corruption) using DOM functions

2005-08-24 Thread anders at kaseorg dot com

From: anders at kaseorg dot com
Operating system: Linux (Fedora Core 4)
PHP version:  5.0.4
PHP Bug Type: Reproducible crash
Bug description:  Crash (double free or corruption) using DOM functions

Description:

Running PHP (5.0.4-10.3 on Fedora Core 4) on this code crashes with a
double free error after producing correct output. If you comment the
last appendChild line, it segfaults instead.

Reproduce code:
---
?php
$imp = new DOMImplementation();
$doc = $imp-createDocument(
  'http://www.w3.org/1999/xhtml',
  'html',
  $imp-createDocumentType('html',
'-//W3C//DTD XHTML 1.0 Strict//EN',
'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd')
);
$html = $doc-documentElement;
$head = $html-appendChild($doc-createElement('head'));
$meta = $head-appendChild($doc-createElement('meta'));
$meta-setAttribute('http-equiv', 'Content-Type');
$meta-setAttribute('content', 'application/xhtml+xml; charset=utf-8');
$head-appendChild($doc-createElement('title'));
echo $doc-saveXML();
?


Expected result:

?xml version=1.0?
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html xmlns=http://www.w3.org/1999/xhtml;headmeta
http-equiv=Content-Type content=text/html; charset=UTF-8
/title/title/head/html


Actual result:
--
?xml version=1.0?
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html xmlns=http://www.w3.org/1999/xhtml;headmeta
http-equiv=Content-Type content=text/html; charset=UTF-8
/title/title/head/html
*** glibc detected *** php: double free or corruption (!prev): 0x0985dcf0
***
=== Backtrace: =
/lib/libc.so.6[0x984124]
/lib/libc.so.6(__libc_free+0x77)[0x98465f]
/usr/lib/libxml2.so.2(xmlFreeNode+0x1ce)[0x7535b66]
php[0x80728be]
php[0x80733cb]
php[0x807339f]
php(php_libxml_node_free_resource+0x3f)[0x8073423]
php(php_libxml_node_decrement_resource+0x41)[0x807349b]
/usr/lib/php/modules/dom.so(dom_objects_free_storage+0x54)[0xc14576]
php(zend_objects_store_del_ref+0x72)[0x8187e48]
php(_zval_ptr_dtor+0x36)[0x8168e3c]
php[0x8179ffc]
php(zend_hash_graceful_reverse_destroy+0x18)[0x817a116]
php(shutdown_executor+0x7c)[0x8169a60]
php(zend_deactivate+0x93)[0x81740de]
php(php_request_shutdown+0x180)[0x813e197]
php(main+0x174)[0x81a7895]
/lib/libc.so.6(__libc_start_main+0xdf)[0x935d5f]
php[0x80727b1]


-- 
Edit bug report at http://bugs.php.net/?id=34232edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=34232r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=34232r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=34232r=trysnapshot51
Fixed in CVS:http://bugs.php.net/fix.php?id=34232r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=34232r=alreadyfixed
Need backtrace:  http://bugs.php.net/fix.php?id=34232r=needtrace
Need Reproduce Script:   http://bugs.php.net/fix.php?id=34232r=needscript
Try newer version:   http://bugs.php.net/fix.php?id=34232r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=34232r=support
Expected behavior:   http://bugs.php.net/fix.php?id=34232r=notwrong
Not enough info: 
http://bugs.php.net/fix.php?id=34232r=notenoughinfo
Submitted twice: 
http://bugs.php.net/fix.php?id=34232r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=34232r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=34232r=php3
Daylight Savings:http://bugs.php.net/fix.php?id=34232r=dst
IIS Stability:   http://bugs.php.net/fix.php?id=34232r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=34232r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=34232r=float
No Zend Extensions:  http://bugs.php.net/fix.php?id=34232r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=34232r=mysqlcfg

#34232 [Asn]: Crash (double free or corruption) using DOM functions

2005-08-24 Thread anders at kaseorg dot com

 ID:   34232
 User updated by:  anders at kaseorg dot com
 Reported By:  anders at kaseorg dot com
 Status:   Assigned
 Bug Type: Reproducible crash
 Operating System: Linux (Fedora Core 4)
 PHP Version:  5.0.4
 Assigned To:  rrichards
 New Comment:

Not sure whether you still need this information, but yeah, the
snapshot crashes too.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208449360 (LWP 30882)]
php_libxml_decrement_node_ptr (object=0xa1ea508)
at php5-200508241430/ext/libxml/libxml.c:861
861 ret_refcount = --obj_node-refcount;
(gdb) bt
#0  php_libxml_decrement_node_ptr (object=0xa1ea508)
at php5-200508241430/ext/libxml/libxml.c:861
#1  0x08069605 in php_libxml_unregister_node (nodep=Variable nodep is
not available.
)
at php5-200508241430/ext/libxml/libxml.c:139
#2  0x0806968f in php_libxml_node_free_list (node=Variable node is
not available.
)
at php5-200508241430/ext/libxml/libxml.c:230
#3  0x080696b4 in php_libxml_node_free_list (node=Variable node is
not available.
)
at php5-200508241430/ext/libxml/libxml.c:221
#4  0x080696fd in php_libxml_node_free_resource (node=0xa1ea510)
at php5-200508241430/ext/libxml/libxml.c:934
#5  0x0806977d in php_libxml_node_decrement_resource
(object=0xa1ea56c)
at php5-200508241430/ext/libxml/libxml.c:957
#6  0x080807dd in dom_objects_free_storage (object=0xa1ea56c)
at php5-200508241430/ext/dom/php_dom.c:901
#7  0x0813503a in zend_objects_store_del_ref (zobject=0xa1ef55c)
at php5-200508241430/Zend/zend_objects_API.c:161
#8  0x081169c9 in _zval_ptr_dtor (zval_ptr=0xa1ea630)
at php5-200508241430/Zend/zend_variables.h:35
#9  0x0812774f in zend_hash_apply_deleter (ht=0x8225a50, p=0xa1ea624)
at php5-200508241430/Zend/zend_hash.c:574
#10 0x0812788f in zend_hash_graceful_reverse_destroy (ht=0x8225a50)
at php5-200508241430/Zend/zend_hash.c:640
#11 0x08116862 in shutdown_executor ()
at php5-200508241430/Zend/zend_execute_API.c:216
#12 0x08120d40 in zend_deactivate ()
at php5-200508241430/Zend/zend.c:823
#13 0x080edc44 in php_request_shutdown (dummy=0x0)
at php5-200508241430/main/main.c:1241
#14 0x0819f14c in main (argc=1, argv=0xbf8a07f4)
at php5-200508241430/sapi/cli/php_cli.c:1142


Previous Comments:


[2005-08-24 15:42:16] [EMAIL PROTECTED]

Not yet sure if this will require changes to DOM and SimpleXML or
libxml2 specific bug. Assigning to self for now.

Current work around: Don't add meta element as its going to be
destroyed and a new one added anyways when serializing.



[2005-08-24 11:34:34] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip





[2005-08-24 10:55:24] anders at kaseorg dot com

Description:

Running PHP (5.0.4-10.3 on Fedora Core 4) on this code crashes with a
double free error after producing correct output. If you comment the
last appendChild line, it segfaults instead.

Reproduce code:
---
?php
$imp = new DOMImplementation();
$doc = $imp-createDocument(
  'http://www.w3.org/1999/xhtml',
  'html',
  $imp-createDocumentType('html',
'-//W3C//DTD XHTML 1.0 Strict//EN',
'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd')
);
$html = $doc-documentElement;
$head = $html-appendChild($doc-createElement('head'));
$meta = $head-appendChild($doc-createElement('meta'));
$meta-setAttribute('http-equiv', 'Content-Type');
$meta-setAttribute('content', 'application/xhtml+xml;
charset=utf-8');
$head-appendChild($doc-createElement('title'));
echo $doc-saveXML();
?


Expected result:

?xml version=1.0?
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html xmlns=http://www.w3.org/1999/xhtml;headmeta
http-equiv=Content-Type content=text/html; charset=UTF-8
/title/title/head/html


Actual result:
--
?xml version=1.0?
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html xmlns=http://www.w3.org/1999/xhtml;headmeta
http-equiv=Content-Type content=text/html; charset=UTF-8
/title/title/head/html
*** glibc detected *** php: double free or corruption (!prev):
0x0985dcf0 ***
=== Backtrace: =
/lib/libc.so.6[0x984124]
/lib/libc.so.6(__libc_free+0x77)[0x98465f]
/usr/lib/libxml2.so.2(xmlFreeNode+0x1ce)[0x7535b66]
php[0x80728be]
php[0x80733cb]
php[0x807339f]
php(php_libxml_node_free_resource+0x3f)[0x8073423]
php(php_libxml_node_decrement_resource+0x41)[0x807349b]
/usr/lib/php/modules/dom.so(dom_objects_free_storage+0x54)[0xc14576]
php(zend_objects_store_del_ref+0x72)[0x8187e48]
php(_zval_ptr_dtor+0x36)[0x8168e3c]
php

#34232 [NEW]: Crash (double free or corruption) using DOM functions

#34232 [Asn]: Crash (double free or corruption) using DOM functions

2 matches

Site Navigation

Mail list logo

Footer information