Re: [xml] an xpath segfault reproducible with xmllint

[Daniel Veillard <veillard redhat com>]

On Wed, Apr 04, 2007 at 04:42:27PM +0200, Pavol Rusnak wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Daniel Veillard wrote:
> >   What is the stack like, and value for i and obj->nodeNr.
> > As stated I tested with latest SVN version on 2 machines without seeing the
> > problem myself.
> 
> (gdb) r --shell test.xml
> Starting program: /usr/bin/xmllint --shell test.xml
> / > xpath *[ a=name(concat(""))]
> XPath error : Invalid number of arguments
> XPath error : Invalid type
> xmlXPathEval: 3 object left on the stack
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00002b9636a24d4b in xmlXPathFreeNodeSet (obj=0x6660f0) at xpath.c:4059
> 4059                if ((obj->nodeTab[i] != NULL) &&
> (gdb) bt
> #0  0x00002b9636a24d4b in xmlXPathFreeNodeSet (obj=0x6660f0) at xpath.c:4059
> #1  0x00002b9636a2552e in xmlXPathFreeObject (obj=0x666170) at xpath.c:5344
> #2  0x00002b9636a32c1d in xmlXPathEval (str=0x2b96369df5c0
> "UH\211�SH\201��", ctx=0x61b7c0)
>     at xpath.c:14832
> #3  0x00002b9636a233db in xmlShell (doc=<value optimized out>,
>     filename=0x7fff749b23f9 "test.xml", input=<value optimized out>,
>     output=<value optimized out>) at debugXML.c:2989
> #4  0x0000000000406b42 in parseAndPrintFile (filename=0x7fff749b23f9
> "test.xml", rectxt=0x0)
>     at xmllint.c:2310
> #5  0x0000000000408e13 in main (argc=3, argv=0x7fff749b09e8) at
> xmllint.c:3499
> #6  0x00002b9637165944 in __libc_start_main () from /lib64/libc.so.6
> #7  0x00000000004044a9 in _start ()
> (gdb) p i
> $1 = 10
> (gdb) p obj->nodeTab[i]
> $2 = (xmlNodePtr) 0x60
> (gdb) p obj->nodeNr
> $3 = 6711616

  -> that value is clearly corrupted

> (gdb)
> 
> File test.xml contains only "<aaa />"

Can you find where obj->nodeNr is reset with that value ? Here I get 0 as
expected:

Starting program: /u/veillard/XML/xmllint --shell test.xml
/ > xpath *[ a=name(concat(""))]

Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa498e38) at xpath.c:4055
4055    xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.
XPath error : Invalid number of arguments
XPath error : Invalid type

Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa4985c8) at xpath.c:4055
4055    xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.

Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa498f18) at xpath.c:4055
4055    xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.

Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa498cc8) at xpath.c:4055
4055    xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) c
Continuing.
xmlXPathEval: 3 object left on the stack

Breakpoint 1, xmlXPathFreeNodeSet (obj=0xa4983c8) at xpath.c:4055
4055    xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
(gdb) p *obj
$5 = {nodeNr = 0, nodeMax = 10, nodeTab = 0xa498418}
(gdb) c
Continuing.
Object is empty (NULL)
/ > 

When allocating a node set nodeNr and nodeMax are always initialized to 0
(see xmlXPathNewNodeSet).

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/