From: felipensp at gmail dot com
Operating system: Linux
PHP version: 5.2.4
PHP Bug Type: SimpleXML related
Bug description: Xpath buffer overflow
Description:
------------
Xpath cause buffer overflow when function not found in predicate.
Reproduce code:
---------------
<?php
$source = file_get_contents('http://visualjquery.com/1.1.2.html');
$xml = new SimpleXMLElement($source);
$entries = $xml->xpath('//h1[.=foo()]');
Expected result:
----------------
Only messages errors.
Actual result:
--------------
[EMAIL PROTECTED]:~/public_html$ php test.php
Warning: SimpleXMLElement::xpath(): xmlXPathCompOpEval: function foo not
found in /home/felipe/public_html/test.php on line 5
Warning: SimpleXMLElement::xpath(): Unregistered function in
/home/felipe/public_html/test.php on line 5
Warning: SimpleXMLElement::xpath(): xmlXPathEval: 2 object left on the
stack in /home/felipe/public_html/test.php on line 5
*** glibc detected *** php: corrupted double-linked list: 0x084afa90 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d2db2a]
/lib/tls/i686/cmov/libc.so.6[0xb7d2f50f]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d32e30]
/usr/lib/libxml2.so.2(xmlDictFree+0xec)[0xb7eec17c]
/usr/lib/libxml2.so.2(xmlFreeDoc+0x1b9)[0xb7e4d8f9]
php(php_libxml_decrement_doc_ref+0x46)[0x808b3f6]
php[0x8161faa]
php(zend_objects_store_del_ref_by_handle+0x179)[0x828fce9]
php(zend_objects_store_del_ref+0x18)[0x828fd28]
php(_zval_ptr_dtor+0x4f)[0x8267fef]
php[0x827db38]
php(zend_hash_reverse_apply+0x57)[0x827dc27]
php(shutdown_destructors+0x50)[0x8267f50]
php(zend_call_destructors+0x30)[0x8274400]
php(php_request_shutdown+0x268)[0x8233c18]
php(main+0x36d)[0x82ebfed]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7cddebc]
php(xmlTextReaderConstName+0x145)[0x808a611]
======= Memory map: ========
08048000-0839c000 r-xp 00000000 03:01 5360941 /usr/local/bin/php
0839c000-083b9000 rw-p 00354000 03:01 5360941 /usr/local/bin/php
083b9000-08618000 rw-p 083b9000 00:00 0 [heap]
b7a00000-b7a21000 rw-p b7a00000 00:00 0
b7a21000-b7b00000 ---p b7a21000 00:00 0
b7b97000-b7c18000 rw-p b7b97000 00:00 0
b7c18000-b7c1f000 r--s 00000000 03:01 5194177
/usr/lib/gconv/gconv-modules.cache
b7c1f000-b7c5a000 r--p 00000000 03:01 5242899
/usr/lib/locale/pt_BR.utf8/LC_CTYPE
b7c7b000-b7c86000 r-xp 00000000 03:01 2261088 /lib/libgcc_s.so.1
b7c86000-b7c87000 rw-p 0000a000 03:01 2261088 /lib/libgcc_s.so.1
b7c87000-b7c8b000 r-xp 00000000 03:01 2294771
/lib/tls/i686/cmov/libnss_dns-2.5.so
b7c8b000-b7c8d000 rw-p 00003000 03:01 2294771
/lib/tls/i686/cmov/libnss_dns-2.5.so
b7c8d000-b7c96000 r-xp 00000000 03:01 2294772
/lib/tls/i686/cmov/libnss_files-2.5.so
b7c96000-b7c98000 rw-p 00008000 03:01 2294772
/lib/tls/i686/cmov/libnss_files-2.5.so
b7c98000-b7c9a000 rw-p b7c98000 00:00 0
b7c9b000-b7c9c000 rw-p b7c9b000 00:00 0
b7c9c000-b7caf000 r-xp 00000000 03:01 5178599 /usr/lib/libz.so.1.2.3
b7caf000-b7cb0000 rw-p 00012000 03:01 5178599 /usr/lib/libz.so.1.2.3
b7cb0000-b7cc3000 r-xp 00000000 03:01 2294778
/lib/tls/i686/cmov/libpthread-2.5.so
b7cc3000-b7cc5000 rw-p 00013000 03:01 2294778
/lib/tls/i686/cmov/libpthread-2.5.so
b7cc5000-b7cc8000 rw-p b7cc5000 00:00 0
b7cc8000-b7e03000 r-xp 00000000 03:01 2294471
/lib/tls/i686/cmov/libc-2.5.so
b7e03000-b7e04000 r--p 0013b000 03:01 2294471
/lib/tls/i686/cmov/libc-2.5.so
b7e04000-b7e06000 rw-p 0013c000 03:01 2294471
/lib/tls/i686/cmov/libc-2.5.so
b7e06000-b7e09000 rw-p b7e06000 00:00 0
b7e09000-b7f20000 r-xp 00000000 03:01 5179128
/usr/lib/libxml2.so.2.6.27
b7f20000-b7f26000 rw-p 00116000 03:01 5179128
/usr/lib/libxml2.so.2.6.27
b7f26000-b7f39000 r-xp 00000000 03:01 2294480
/lib/tls/i686/cmov/libnsl-2.5.so
b7f39000-b7f3b000 rw-p 00012000 03:01 2294480
/lib/tls/i686/cmov/libnsl-2.5.so
b7f3b000-b7f3d000 rw-p b7f3b000 00:00 0
b7f3d000-b7f3f000 r-xp 00000000 03:01 2294474
/lib/tls/i686/cmov/libdl-2.5.so
b7f3f000-b7f41000 rw-p 00001000 03:01 2294474
/lib/tls/i686/cmov/libdl-2.5.so
b7f41000-b7f66000 r-xp 00000000 03:01 2294476
/lib/tls/i686/cmov/libm-2.5.so
b7f66000-b7f68000 rw-p 00024000 03:01 2294476
/lib/tls/i686/cmov/libm-2.5.so
b7f68000-b7f77000 r-xp 00000000 03:01 2294779
/lib/tls/i686/cmov/libresolv-2.5.so
b7f77000-b7f79000 rw-p 0000f000 03:01 2294779
/lib/tls/i686/cmov/libresolv-2.5.so
b7f79000-b7f7c000 rw-p b7f79000 00:00 0
b7f7c000-b7f83000 r-xp 00000000 03:01 2294780
/lib/tls/i686/cmov/librt-2.5.so
b7f83000-b7f85000 rw-p 00006000 03:01 2294780
/lib/tls/i686/cmov/librt-2.5.so
b7f85000-b7f8a000 r-xp 00000Cancelado (core dumped)
----------------------------------------
[EMAIL PROTECTED]:~/public_html$ gdb -q php
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r test.php
Starting program: /usr/local/bin/php test.php
[Thread debugging using libthread_db enabled]
[New Thread -1212278368 (LWP 15257)]
Warning: SimpleXMLElement::xpath(): xmlXPathCompOpEval: function foo not
found in /home/felipe/public_html/test.php on line 5
Warning: SimpleXMLElement::xpath(): Unregistered function in
/home/felipe/public_html/test.php on line 5
Warning: SimpleXMLElement::xpath(): xmlXPathEval: 2 object left on the
stack in /home/felipe/public_html/test.php on line 5
*** glibc detected *** /usr/local/bin/php: corrupted double-linked list:
0x084afa90 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7c73b2a]
/lib/tls/i686/cmov/libc.so.6[0xb7c7550f]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7c78e30]
/usr/lib/libxml2.so.2(xmlDictFree+0xec)[0xb7e3217c]
/usr/lib/libxml2.so.2(xmlFreeDoc+0x1b9)[0xb7d938f9]
/usr/local/bin/php(php_libxml_decrement_doc_ref+0x46)[0x808b3f6]
/usr/local/bin/php[0x8161faa]
/usr/local/bin/php(zend_objects_store_del_ref_by_handle+0x179)[0x828fce9]
/usr/local/bin/php(zend_objects_store_del_ref+0x18)[0x828fd28]
/usr/local/bin/php(_zval_ptr_dtor+0x4f)[0x8267fef]
/usr/local/bin/php[0x827db38]
/usr/local/bin/php(zend_hash_reverse_apply+0x57)[0x827dc27]
/usr/local/bin/php(shutdown_destructors+0x50)[0x8267f50]
/usr/local/bin/php(zend_call_destructors+0x30)[0x8274400]
/usr/local/bin/php(php_request_shutdown+0x268)[0x8233c18]
/usr/local/bin/php(main+0x36d)[0x82ebfed]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7c23ebc]
/usr/local/bin/php(xmlTextReaderConstName+0x145)[0x808a611]
======= Memory map: ========
08048000-0839c000 r-xp 00000000 03:01 5360941 /usr/local/bin/php
0839c000-083b9000 rw-p 00354000 03:01 5360941 /usr/local/bin/php
083b9000-08618000 rw-p 083b9000 00:00 0 [heap]
b7900000-b7921000 rw-p b7900000 00:00 0
b7921000-b7a00000 ---p b7921000 00:00 0
b7add000-b7b5e000 rw-p b7add000 00:00 0
b7b5e000-b7b65000 r--s 00000000 03:01 5194177
/usr/lib/gconv/gconv-modules.cache
b7b65000-b7ba0000 r--p 00000000 03:01 5242899
/usr/lib/locale/pt_BR.utf8/LC_CTYPE
b7bc1000-b7bcc000 r-xp 00000000 03:01 2261088 /lib/libgcc_s.so.1
b7bcc000-b7bcd000 rw-p 0000a000 03:01 2261088 /lib/libgcc_s.so.1
b7bcd000-b7bd1000 r-xp 00000000 03:01 2294771
/lib/tls/i686/cmov/libnss_dns-2.5.so
b7bd1000-b7bd3000 rw-p 00003000 03:01 2294771
/lib/tls/i686/cmov/libnss_dns-2.5.so
b7bd3000-b7bdc000 r-xp 00000000 03:01 2294772
/lib/tls/i686/cmov/libnss_files-2.5.so
b7bdc000-b7bde000 rw-p 00008000 03:01 2294772
/lib/tls/i686/cmov/libnss_files-2.5.so
b7bde000-b7be0000 rw-p b7bde000 00:00 0
b7be1000-b7be2000 rw-p b7be1000 00:00 0
b7be2000-b7bf5000 r-xp 00000000 03:01 5178599 /usr/lib/libz.so.1.2.3
b7bf5000-b7bf6000 rw-p 00012000 03:01 5178599 /usr/lib/libz.so.1.2.3
b7bf6000-b7c09000 r-xp 00000000 03:01 2294778
/lib/tls/i686/cmov/libpthread-2.5.so
b7c09000-b7c0b000 rw-p 00013000 03:01 2294778
/lib/tls/i686/cmov/libpthread-2.5.so
b7c0b000-b7c0e000 rw-p b7c0b000 00:00 0
b7c0e000-b7d49000 r-xp 00000000 03:01 2294471
/lib/tls/i686/cmov/libc-2.5.so
b7d49000-b7d4a000 r--p 0013b000 03:01 2294471
/lib/tls/i686/cmov/libc-2.5.so
b7d4a000-b7d4c000 rw-p 0013c000 03:01 2294471
/lib/tls/i686/cmov/libc-2.5.so
b7d4c000-b7d4f000 rw-p b7d4c000 00:00 0
b7d4f000-b7e66000 r-xp 00000000 03:01 5179128
/usr/lib/libxml2.so.2.6.27
b7e66000-b7e6c000 rw-p 00116000 03:01 5179128
/usr/lib/libxml2.so.2.6.27
b7e6c000-b7e7f000 r-xp 00000000 03:01 2294480
/lib/tls/i686/cmov/libnsl-2.5.so
b7e7f000-b7e81000 rw-p 00012000 03:01 2294480
/lib/tls/i686/cmov/libnsl-2.5.so
b7e81000-b7e83000 rw-p b7e81000 00:00 0
b7e83000-b7e85000 r-xp 00000000 03:01 2294474
/lib/tls/i686/cmov/libdl-2.5.so
b7e85000-b7e87000 rw-p 00001000 03:01 2294474
/lib/tls/i686/cmov/libdl-2.5.so
b7e87000-b7eac000 r-xp 00000000 03:01 2294476
/lib/tls/i686/cmov/libm-2.5.so
b7eac000-b7eae000 rw-p 00024000 03:01 2294476
/lib/tls/i686/cmov/libm-2.5.so
b7eae000-b7ebd000 r-xp 00000000 03:01 2294779
/lib/tls/i686/cmov/libresolv-2.5.so
b7ebd000-b7ebf000 rw-p 0000f000 03:01 2294779
/lib/tls/i686/cmov/libresolv-2.5.so
b7ebf000-b7ec2000 rw-p b7ebf000 00:00 0
b7ec2000-b7ec9000 r-xp 00000000 03:01 2294780
/lib/tls/i686/cmov/librt-2.5.so
b7ec9000-b7ecb000 rw-p 00006000 03:01 2294780
/lib/tls/i686/cmov/librt-2.5.so
b7ecb000-b7ed0000 r-xp 00000000 03:01 2294473
/lib/tls/i686/cmov/libcrypt-2.5.so
b7ed0000-b7ed2000 rw-p 00004000 03:01 2294473
/lib/tls/i686/cmov/libcrypt-2.5.so
b7ed2000-b7ef9000 rw-p b7ed2000 00:00 0
b7f08000-b7f0a000 rw-p b7f08000 00:00 0
b7f0a000-b7f23000 r-xp 00000000
Program received signal SIGABRT, Aborted.
[Switching to Thread -1212278368 (LWP 15257)]
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7c37df0 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7c39641 in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7c6d9bb in ?? () from /lib/tls/i686/cmov/libc.so.6
#4 0x00000005 in ?? ()
#5 0xbfa9be0c in ?? ()
#6 0x00000400 in ?? ()
#7 0x00000002 in ?? ()
#8 0x08277c21 in zend_register_functions (scope=0x828fce9,
functions=0x8161faa, function_table=0xbfa9e9a7, type=-1210902870)
at /home/felipe/php-5.2.4/Zend/zend_API.c:1705
#9 0xb7c73b2a in ?? () from /lib/tls/i686/cmov/libc.so.6
#10 0x00000002 in ?? ()
#11 0xb7d347a8 in ?? () from /lib/tls/i686/cmov/libc.so.6
#12 0xbfa9e9a7 in ?? ()
#13 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6
#14 0xbfa9c36f in ?? ()
#15 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6
#16 0xbfa9c36f in ?? ()
#17 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6
#18 0xb7d4c120 in ?? () from /lib/tls/i686/cmov/libc.so.6
#19 0x00000021 in ?? ()
#20 0xb7d4c138 in ?? () from /lib/tls/i686/cmov/libc.so.6
#21 0xb7d4c144 in ?? () from /lib/tls/i686/cmov/libc.so.6
---Type <return> to continue, or q <return> to quit---
#22 0x08603358 in ?? ()
#23 0xb7d4c150 in ?? () from /lib/tls/i686/cmov/libc.so.6
#24 0x00000070 in ?? ()
#25 0x00000002 in ?? ()
#26 0xb7c74fd1 in ?? () from /lib/tls/i686/cmov/libc.so.6
#27 0x30000040 in ?? ()
#28 0x66613438 in ?? ()
#29 0x00303961 in ?? ()
#30 0xb7d4aff4 in ?? () from /lib/tls/i686/cmov/libc.so.6
#31 0x084c71a8 in ?? ()
#32 0x084e71b0 in ?? ()
#33 0xbfa9c400 in ?? ()
#34 0xb7c7550f in ?? () from /lib/tls/i686/cmov/libc.so.6
#35 0x00000040 in ?? ()
#36 0xbfa9c3c8 in ?? ()
#37 0xb7d3481c in ?? () from /lib/tls/i686/cmov/libc.so.6
#38 0xb7d4c120 in ?? () from /lib/tls/i686/cmov/libc.so.6
#39 0x086018a0 in ?? ()
#40 0x086018d8 in ?? ()
#41 0x00000000 in ?? ()
--
Edit bug report at http://bugs.php.net/?id=42858&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42858&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42858&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42858&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42858&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42858&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42858&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42858&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42858&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42858&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42858&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42858&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42858&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42858&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42858&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42858&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42858&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42858&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42858&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42858&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42858&r=mysqlcfg
