#27811 [NEW]: Segmentation fault when xml_parse() used

Wed, 31 Mar 2004 11:14:29 -0800 

From:             andrei at vinchi dot ru
Operating system: Red Hat 7.2, SlackWare 9.0
PHP version:      4.3.5
PHP Bug Type:     *XML functions
Bug description:  Segmentation fault when xml_parse() used

Description:
------------
xml_parse() function is using in script that parse xml data containing
some " " strings. At this string it report an error, but after script
is die and Apache process crash with notice in error_log: "[notice] child
pid 27456 exit signal Segmentation Fault (11)".



Config line: ./configure --prefix=/opt/php
--with-apache=/usr/src/apache_1.3.27rusPL30.16 --with-zlib --with-bz2
--enable-bcmath --enable-calendar --with-readline --enable-exif
--enable-wddx --enable-dba --with-gdbm --with-dbase --with-system-regex
--with-mod_charset --with-pgsql=/usr/local/PostgreSQL
--with-mysql=/usr/local/MySQL --enable-safe-mode --enable-track-vars
--enable-memory-limit --disable-short-tags --disable-display-source
--with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir
--with-png-dir --with-xpm-dir --with-debug



gdb:



Program received signal SIGSEGV, Segmentation fault.

normal_updatePosition (enc=0x815edc0,

    ptr=0x821ca78 "ONTENT-DATA-175 CONTENT-DATA-176 CONTENT-DATA-177
CONTENT-DATA-178 CONTENT-DATA-179 CONTENT-DATA-180 CONTENT-DATA-181
CONTENT-DATA-182 CONTENT-DATA-183 CONTENT-DATA-184 CONTENT-DATA-185
CONTENT-DATA-1"...,

    end=0x821ada0
" DESCRIPTION-1 DESCRIPTION-2 DESCRIPTION-3 DESCRIPTION-4 DESCRIPTION-5 DESCRIPTION-6 DESCRIPTION-7 DESCRIPTION-8 DESCRIPTION-9 DESCRIPTION-10 DES"...,
pos=0x82144f0)

    at /andrei/php/build/php-4.3.5/ext/xml/expat/xmltok_impl.c:1747

1747        switch (BYTE_TYPE(enc, ptr)) {

(gdb)



Reproduce code:
---------------
1. http://na.vinchi.ru/mkfaultdata.php.txt

This script must be used for creating "bad.dat" file. It contain xml data
for parsing by second script that produce crash.

2. http://na.vinchi.ru/xml-crash.php.txt



Expected result:
----------------
The script must output 50 lines like this: "Indexing: news_view.php?id=1".
Last number changed from 1 to 50.

Actual result:
--------------
Indexing: news_view.php?id=1

... cuted ...

Indexing: news_view.php?id=19

XML parse error on 121 in 298



After that script and process dies.

-- 
Edit bug report at http://bugs.php.net/?id=27811&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=27811&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=27811&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=27811&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=27811&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=27811&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=27811&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=27811&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=27811&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=27811&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=27811&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=27811&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=27811&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27811&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=27811&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=27811&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=27811&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27811&r=float

Reply via email to