From: andrei at vinchi dot ru
Operating system: Red Hat 7.2, SlackWare 9.0
PHP version: 4.3.5
PHP Bug Type: *XML functions
Bug description: Segmentation fault when xml_parse() used
Description:
------------
xml_parse() function is using in script that parse xml data containing
some " " strings. At this string it report an error, but after script
is die and Apache process crash with notice in error_log: "[notice] child
pid 27456 exit signal Segmentation Fault (11)".
Config line: ./configure --prefix=/opt/php
--with-apache=/usr/src/apache_1.3.27rusPL30.16 --with-zlib --with-bz2
--enable-bcmath --enable-calendar --with-readline --enable-exif
--enable-wddx --enable-dba --with-gdbm --with-dbase --with-system-regex
--with-mod_charset --with-pgsql=/usr/local/PostgreSQL
--with-mysql=/usr/local/MySQL --enable-safe-mode --enable-track-vars
--enable-memory-limit --disable-short-tags --disable-display-source
--with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir
--with-png-dir --with-xpm-dir --with-debug
gdb:
Program received signal SIGSEGV, Segmentation fault.
normal_updatePosition (enc=0x815edc0,
ptr=0x821ca78 "ONTENT-DATA-175 CONTENT-DATA-176 CONTENT-DATA-177
CONTENT-DATA-178 CONTENT-DATA-179 CONTENT-DATA-180 CONTENT-DATA-181
CONTENT-DATA-182 CONTENT-DATA-183 CONTENT-DATA-184 CONTENT-DATA-185
CONTENT-DATA-1"...,
end=0x821ada0
" DESCRIPTION-1 DESCRIPTION-2 DESCRIPTION-3 DESCRIPTION-4 DESCRIPTION-5 DESCRIPTION-6 DESCRIPTION-7 DESCRIPTION-8 DESCRIPTION-9 DESCRIPTION-10 DES"...,
pos=0x82144f0)
at /andrei/php/build/php-4.3.5/ext/xml/expat/xmltok_impl.c:1747
1747 switch (BYTE_TYPE(enc, ptr)) {
(gdb)
Reproduce code:
---------------
1. http://na.vinchi.ru/mkfaultdata.php.txt
This script must be used for creating "bad.dat" file. It contain xml data
for parsing by second script that produce crash.
2. http://na.vinchi.ru/xml-crash.php.txt
Expected result:
----------------
The script must output 50 lines like this: "Indexing: news_view.php?id=1".
Last number changed from 1 to 50.
Actual result:
--------------
Indexing: news_view.php?id=1
... cuted ...
Indexing: news_view.php?id=19
XML parse error on 121 in 298
After that script and process dies.
--
Edit bug report at http://bugs.php.net/?id=27811&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27811&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27811&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27811&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27811&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27811&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27811&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27811&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27811&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27811&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27811&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27811&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27811&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27811&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27811&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27811&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27811&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27811&r=float
