Re: [xml] an xpath segfault reproducible with xmllint

From: Pavol Rusnak <prusnak suse cz>
To: xml gnome org
Subject: Re: [xml] an xpath segfault reproducible with xmllint
Date: Wed, 04 Apr 2007 16:21:50 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Veillard wrote:

  Can you make sure no patch was applied on SuSE rpms, I doubt it but
that may happen. Maybe someone from SuSe is monitoting that list and can
act on this problem (thanks in advance !)


Hello Petr and Daniel!

I'm maintainer of libxml2 in SuSE. Our libxml2-2.6.27 has 4 patches, I'm
attaching relevant one (null-retval.patch). This was a patch for older
bug I reported earlier: http://bugzilla.gnome.org/show_bug.cgi?id=400242
- - and was fixed in CVS by William M. Brac.

GDB output of testcase with debuginfo installed:

(gdb) r --shell test.xml
Starting program: /usr/bin/xmllint --shell test.xml
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
xmlXPathEval: 3 object left on the stack

Program received signal SIGSEGV, Segmentation fault.
0x00002b2102bb5d4b in xmlXPathFreeNodeSet (obj=0x6660f0) at xpath.c:4059
4059                if ((obj->nodeTab[i] != NULL) &&

Valgrind output is attached in libxml2-valgrind.txt.

- --
Best Regards / S pozdravom,

Pavol RUSNAK                                       SUSE LINUX, s.r.o
Package Maintainer                                Lihovarska 1060/12
PGP 0xA6917144                                     19000 Praha 9, CR
prusnak[at]suse.cz                                http://www.suse.cz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGE7R9ASE5C6aRcUQRAjbdAJwLfnHVa5xjkkHmYuF1pjefprA2kwCfc+9m
wsPg2e6tiNmFoY9D9or6WEo=
=Vw1l
-----END PGP SIGNATURE-----

==13912== Memcheck, a memory error detector.
==13912== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==13912== Using LibVEX rev 1732, a library for dynamic binary translation.
==13912== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==13912== Using valgrind-3.2.3, a dynamic binary instrumentation framework.
==13912== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==13912== For more details, rerun with: -v
==13912== 
XPath error : Invalid number of arguments
XPath error : Invalid type
==13912== Invalid read of size 4
==13912==    at 0x55374BA: xmlXPathFreeObject (xpath.c:5331)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097190 is 0 bytes inside a block of size 72 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid read of size 4
==13912==    at 0x55374F5: xmlXPathFreeObject (xpath.c:5332)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x40971A0 is 16 bytes inside a block of size 72 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid read of size 8
==13912==    at 0x5537520: xmlXPathFreeObject (xpath.c:5343)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097198 is 8 bytes inside a block of size 72 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid read of size 8
==13912==    at 0x5536D1C: xmlXPathFreeNodeSet (xpath.c:4054)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097210 is 8 bytes inside a block of size 16 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid read of size 4
==13912==    at 0x5536D23: xmlXPathFreeNodeSet (xpath.c:4058)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097208 is 0 bytes inside a block of size 16 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid read of size 8
==13912==    at 0x5536D29: xmlXPathFreeNodeSet (xpath.c:4058)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097210 is 8 bytes inside a block of size 16 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid read of size 8
==13912==    at 0x5536D42: xmlXPathFreeNodeSet (xpath.c:4059)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097248 is 0 bytes inside a block of size 80 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x5536D73: xmlXPathFreeNodeSet (xpath.c:4062)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid read of size 4
==13912==    at 0x5536D3C: xmlXPathFreeNodeSet (xpath.c:4058)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097208 is 0 bytes inside a block of size 16 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid free() / delete / delete[]
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x5536D73: xmlXPathFreeNodeSet (xpath.c:4062)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097248 is 0 bytes inside a block of size 80 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x5536D73: xmlXPathFreeNodeSet (xpath.c:4062)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid free() / delete / delete[]
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097208 is 0 bytes inside a block of size 16 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x553752D: xmlXPathFreeObject (xpath.c:5344)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== Invalid free() / delete / delete[]
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x5544BBD: xmlXPathEval (xpath.c:14823)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912==  Address 0x4097190 is 0 bytes inside a block of size 72 free'd
==13912==    at 0x4C2286B: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x55450EF: xmlXPathCompOpEvalPredicate (xpath.c:11586)
==13912==    by 0x5546198: xmlXPathNodeCollectAndTest (xpath.c:12376)
==13912==    by 0x5543644: xmlXPathCompOpEval (xpath.c:13241)
==13912==    by 0x5542FF7: xmlXPathCompOpEval (xpath.c:13719)
==13912==    by 0x55447FD: xmlXPathRunEval (xpath.c:14287)
==13912==    by 0x5544B71: xmlXPathEval (xpath.c:14801)
==13912==    by 0x55353DA: xmlShell (debugXML.c:2989)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
xmlXPathEval: 3 object left on the stack
==13912== 
==13912== ERROR SUMMARY: 11 errors from 11 contexts (suppressed: 2 from 1)
==13912== malloc/free: in use at exit: 279,777 bytes in 250 blocks.
==13912== malloc/free: 743 allocs, 496 frees, 334,050 bytes allocated.
==13912== For counts of detected errors, rerun with: -v
==13912== searching for pointers to 250 not-freed blocks.
==13912== checked 398,072 bytes.
==13912== 
==13912== 
==13912== 14 bytes in 2 blocks are still reachable in loss record 1 of 10
==13912==    at 0x4C22C56: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x5CCC911: strdup (in /lib64/libc-2.5.so)
==13912==    by 0x529C2F6: _nc_setupterm (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C969: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== 
==13912== 26 bytes in 1 blocks are still reachable in loss record 2 of 10
==13912==    at 0x4C22C56: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x529A1AF: _nc_home_terminfo (in /lib64/libncurses.so.5.6)
==13912==    by 0x5299E54: _nc_next_db (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A01C4: _nc_read_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C0BF: _nc_setupterm (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C969: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912== 
==13912== 
==13912== 83 bytes in 1 blocks are still reachable in loss record 3 of 10
==13912==    at 0x4C22C56: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x529D4C7: _nc_tparm_analyze (in /lib64/libncurses.so.5.6)
==13912==    by 0x529D6ED: tparm (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A06BC: (within /lib64/libncurses.so.5.6)
==13912==    by 0x52A09AA: _nc_trim_sgr0 (in /lib64/libncurses.so.5.6)
==13912==    by 0x529CAC6: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912== 
==13912== 
==13912== 160 bytes in 1 blocks are still reachable in loss record 4 of 10
==13912==    at 0x4C21F7F: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x529FE64: _nc_read_termtype (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0071: _nc_read_file_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0231: _nc_read_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C0BF: _nc_setupterm (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C969: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912== 
==13912== 
==13912== 180 bytes in 1 blocks are still reachable in loss record 5 of 10
==13912==    at 0x4C22C56: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x529FFBB: _nc_read_termtype (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0071: _nc_read_file_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0231: _nc_read_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C0BF: _nc_setupterm (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C969: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912== 
==13912== 
==13912== 208 bytes in 1 blocks are still reachable in loss record 6 of 10
==13912==    at 0x4C21F7F: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x529C0A5: _nc_setupterm (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C969: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== 
==13912== 1,024 bytes in 1 blocks are still reachable in loss record 7 of 10
==13912==    at 0x4C22D57: realloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x4E5272A: xrealloc (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3FC8F: rl_add_funmap_entry (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3FCCF: rl_initialize_funmap (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C42C: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== 
==13912== 1,409 bytes in 1 blocks are still reachable in loss record 8 of 10
==13912==    at 0x4C22C56: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x529F9B4: _nc_read_termtype (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0071: _nc_read_file_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0231: _nc_read_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C0BF: _nc_setupterm (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C969: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912== 
==13912== 
==13912== 3,601 bytes in 4 blocks are still reachable in loss record 9 of 10
==13912==    at 0x4C22D57: realloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x5299F0A: _nc_doalloc (in /lib64/libncurses.so.5.6)
==13912==    by 0x529FD8E: _nc_read_termtype (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0071: _nc_read_file_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x52A0231: _nc_read_entry (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C0BF: _nc_setupterm (in /lib64/libncurses.so.5.6)
==13912==    by 0x529C969: tgetent (in /lib64/libncurses.so.5.6)
==13912==    by 0x4E4F709: _rl_init_terminal_io (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C416: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912== 
==13912== 
==13912== 273,072 bytes in 237 blocks are still reachable in loss record 10 of 10
==13912==    at 0x4C22C56: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==13912==    by 0x4E52765: xmalloc (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3C5CA: rl_initialize (in /lib64/libreadline.so.5.2)
==13912==    by 0x4E3D276: readline (in /lib64/libreadline.so.5.2)
==13912==    by 0x407765: xmlShellReadline (xmllint.c:781)
==13912==    by 0x5534618: xmlShell (debugXML.c:2847)
==13912==    by 0x406B41: parseAndPrintFile (xmllint.c:2310)
==13912==    by 0x408E12: main (xmllint.c:3499)
==13912== 
==13912== LEAK SUMMARY:
==13912==    definitely lost: 0 bytes in 0 blocks.
==13912==      possibly lost: 0 bytes in 0 blocks.
==13912==    still reachable: 279,777 bytes in 250 blocks.
==13912==         suppressed: 0 bytes in 0 blocks.

--- xpath.c
+++ xpath.c
@@ -14543,6 +14543,8 @@
     xmlXPathInit();
 
     pctxt = xmlXPathNewParserContext(str, ctxt);
+    if (pctxt == NULL)
+        return NULL;
     xmlXPathCompileExpr(pctxt, 1);
 
     if( pctxt->error != XPATH_EXPRESSION_OK )
@@ -14794,6 +14796,8 @@
     xmlXPathInit();
 
     ctxt = xmlXPathNewParserContext(str, ctx);
+    if (ctxt == NULL)
+      return NULL;
     xmlXPathEvalExpr(ctxt);
 
     if (ctxt->value == NULL) {
@@ -14854,6 +14858,8 @@
     xmlXPathInit();
 
     pctxt = xmlXPathNewParserContext(str, ctxt);
+    if (pctxt == NULL)
+        return NULL;
     xmlXPathEvalExpr(pctxt);
 
     if ((*pctxt->cur != 0) || (pctxt->error != XPATH_EXPRESSION_OK)) {

Attachment: libxml2-valgrind.txt.sig
Description: PGP signature

Attachment: libxml2-2.6.27-null-retval.patch.sig
Description: PGP signature

Follow-Ups:
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: William M. Brack

References:
- [xml] an xpath segfault reproducible with xmllint
  - From: Petr Pajas
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Petr Pajas
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]