Re: [xml] xmlNodeDumpOutput appears to corrupt data; crash follows in xmlStrEqual

[Daniel Veillard <veillard redhat com>]

On Tue, Jan 07, 2003 at 07:11:18PM -0800, gk wrote:
> I am using libxml2-2.4.30 library with:
>   PHP 4.3.1
> linux; kernel 2.4.18
> 
> I have found segmentation fault results from calling dump_node($node) with 
> any xml node that includes an attribute.
> 
> Ilia, at PHP.net has examined my backtrace and believes libxml2 is causing 
> the crash since he cannot reproduce this with the same version of PHP and 
> different version of libxml2.
> 
> Please let me know if I can offer further info/testing.
> Backtrace follows, with original php code at the end.
> - Greg Keraunen
> 
> >From: "Ilia A." <ilia prohost org>
> >To: gk <gk proliberty com>
> >Subject: Re: backtrace - Re: Bug #21477 [Opn->Fbk]: 
> >$node->dump_node($node)  crashes
> >Date: Tue, 7 Jan 2003 21:33:13 -0500
> >X-Mailer: KMail [version 1.4]
> >X-Envelope-To: gk proliberty com
> >
> >Thank you for the detailed information, it looks like my initial conclusion
> >that this is a bug in domxml rather then PHP is correct. The function that
> >appears to corrupt the data, 'xmlNodeDumpOutput' is not a PHP function but
> >rather a domxml one so is xmlIsXHTML() and xmlStrEqual() which is what
> >actually crashes. My suggestion is that you contact domxml developers with
> >this very backtrace, hopefuly they'll be able to assist you.
> >
> >Ilia
> >
> >
> >
> >On January 7, 2003 09:34 pm, you wrote:
> > > Dear Ilia,
> > > Here is some more gdb output that might help.
> > >
> > > (gdb) info stack
> > > #0  xmlStrEqual (str1=0x3 <Address 0x3 out of bounds>,
> > >      str2=0x401632e0 "-//W3C//DTD XHTML 1.0 Strict//EN") at parser.c:1293
> > > #1  0x4010d834 in xmlIsXHTML (systemID=0x4015e9c0 "text",
> > >      publicID=0x3 <Address 0x3 out of bounds>) at tree.c:6728

  The DTD node for the document was not properly initialized. The call
made by xmlNodeDumpOutput is :
  is_xhtml = xmlIsXHTML(dtd->SystemID, dtd->ExternalID);

  the DTD is looked for based on the document passed to xmlNodeDumpOutput().
And the pointer stored in the DTD for the system ID is invalid. Go back
to the PHP maintainer and ask him to fix the code making that xmlDtdPtr node.
That DTD node was not generated by libxml2 as part of the parsed document
since there is NO DOCTYPE entries in the parsed examples. I have no idea
what the PHP code looks like but getting an invalid DTD node for a document
which did not contained any initially doesn't give me a good opinion of
that code quality honnestly. I have no idea of what's going on there, but
this doesn't sound good, really.

Daniel

-- 
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/