From: nyos at nyos dot homelinux dot net
Operating system: Kubuntu linux 7.04 Feisty Fawn
PHP version: 5.2.4
PHP Bug Type: Reproducible crash
Bug description: tidy_get_body segfaults on bad page
Description:
------------
Tidy (libtidy, php-tidy) fails on a (syntactically) incorrect page.
This mustn't happen of course.
A segmentation fault might be caused by a buffer overrun, or a wandering
pointer, which might be a security issue as well. (However, breaking into a
bot using tidy through this bug is very unlikely.)
Tidy's purpose is to correct incorrect pages, so it needs to be
error-proof.
versions: ubuntu feisty default install + kubuntu-desktop + up-to date
system, however, I'm not sure even if it's a bug in php or in tidy
Package: tidy Version: 20051018-1
Package: libtidy-0.99-0 Version: 20051018-1
Package: php5-tidy Version: 5.2.1-0ubuntu1.4
(this is the newest version in package, but I didn't see anything about
this bug, so possibly it's still a bug)
Reproduce code:
---------------
<?
/* // this won't work either
$file_data='
<html>
<frameset >
</frameset>
</html>
';
*/
$file_data='
<frameset >
</frameset>
';
$t=tidy_parse_string(trim($file_data));
$t->cleanRepair();
echo "following line segfaults..\n";
$body=tidy_get_body($t);
echo "..or works?\n";
?>
Expected result:
----------------
$body=null, warning, or anything else..
Actual result:
--------------
[EMAIL PROTECTED]:~/webmasters/tidybug$ ./tidy.php
following line segfaults..
Segmentation fault (core dumped)
--
Edit bug report at http://bugs.php.net/?id=42728&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42728&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42728&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42728&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42728&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42728&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42728&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42728&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42728&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42728&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42728&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42728&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42728&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42728&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42728&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42728&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42728&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42728&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42728&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42728&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42728&r=mysqlcfg
