Re: [xml] Core dump in DTD validate code in libxml2 2.4.25

From: Joe Marcus Clarke <marcus FreeBSD org>
To: veillard redhat com
Cc: xml gnome org
Subject: Re: [xml] Core dump in DTD validate code in libxml2 2.4.25
Date: 09 Oct 2002 12:44:48 -0400

On Wed, 2002-10-09 at 06:25, Daniel Veillard wrote:

On Wed, Oct 09, 2002 at 02:10:58AM -0400, Joe Marcus Clarke wrote:

After upgrading the FreeBSD port of libxml2 to 2.4.25, I noticed a seg
fault everytime the DTD validation code is run.  This was first noticed
in scrollkeeper-0.3.11, but is also visible in xmllint.  The following
command will produce the core dump:

xmllint --dtdvalid
/usr/X11R6/share/gnome/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd
/usr/X11R6/share/gnome/omf/eog/eog-C.omf

The backtrace is:

#0  0x280ae39b in nodeVPop (ctxt=0xbfbfe910) at valid.c:166
166 PUSH_AND_POP(static, xmlNodePtr, node)
(gdb) bt
#0  0x280ae39b in nodeVPop (ctxt=0xbfbfe910) at valid.c:166
#1  0x280b3fb3 in xmlValidateElementContent (ctxt=0xbfbfe910,
child=0x8062180, 
    elemDecl=0x8074c80, warn=1, parent=0x8062140) at valid.c:4629


  Hum, I could not reproduce the problem with gdb ... but caught it with
valgrind, it was of course an uninitialized memory block usage :-(
The DTD validation code has been completely revamped in 2.4.25, but so
far it's the only bug reported, damn that's serious ...
  Please apply the commited patch part for valid.c (enclosed and
in CVS)


Thanks.  Patch works like a champ.  After I sent the email last night, I
triggered a malloc abort, and saw that ctxt->vstateTab was being freed
when it was never initialized (in the regexp mode).  However, when I
disabled regexp, the Python stuff didn't compile without some manual
removal of regexp variables and functions.  Just FYI.

Thanks for your help.

Joe


http://cvs.gnome.org/bonsai/cvsquery.cgi?module=gnome-xml&branch=HEAD&branchtype=match&dir=gnome-xml&file=&filetype=match&who=veillard&whotype=match&sortby=Date&hours=&date=explicit&mindate=10%2F09%2F02+06%3A19&maxdate=10%2F09%2F02+06%3A21&cvsroot=%2Fcvs%2Fgnome

  thanks for the report,

Daniel

-- 
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
----

Index: valid.c
===================================================================
RCS file: /cvs/gnome/gnome-xml/valid.c,v
retrieving revision 1.131
retrieving revision 1.132
diff -c -r1.131 -r1.132
*** valid.c   8 Oct 2002 08:26:11 -0000       1.131
--- valid.c   9 Oct 2002 10:20:30 -0000       1.132
***************
*** 4552,4560 ****
         xmlElementPtr elemDecl, int warn, xmlNodePtr parent) {
      int ret = 1;
  #ifndef  LIBXML_REGEXP_ENABLED
!     xmlNodePtr last = NULL;
  #endif
!     xmlNodePtr repl = NULL, cur, tmp;
      xmlElementContentPtr cont;
      const xmlChar *name;
  
--- 4552,4560 ----
         xmlElementPtr elemDecl, int warn, xmlNodePtr parent) {
      int ret = 1;
  #ifndef  LIBXML_REGEXP_ENABLED
!     xmlNodePtr repl = NULL, last = NULL, tmp;
  #endif
!     xmlNodePtr cur;
      xmlElementContentPtr cont;
      const xmlChar *name;
  
***************
*** 4572,4577 ****
--- 4572,4580 ----
      } else {
      xmlRegExecCtxtPtr exec;
  
+     ctxt->nodeMax = 0;
+     ctxt->nodeNr = 0;
+     ctxt->nodeTab = NULL;
      exec = xmlRegNewExecCtxt(elemDecl->contModel, NULL, NULL);
      if (exec != NULL) {
          cur = child;
***************
*** 4763,4771 ****
--- 4766,4776 ----
          expr[0] = 0;
          xmlSnprintfElementContent(expr, 5000, cont, 1);
          list[0] = 0;
+ #ifndef LIBXML_REGEXP_ENABLED
          if (repl != NULL)
              xmlSnprintfElements(list, 5000, repl, 1);
          else
+ #endif /* LIBXML_REGEXP_ENABLED */
              xmlSnprintfElements(list, 5000, child, 1);
  
          if (name != NULL) {
***************
*** 4798,4804 ****
  
  #ifndef  LIBXML_REGEXP_ENABLED
  done:
- #endif
      /*
       * Deallocate the copy if done, and free up the validation stack
       */
--- 4803,4808 ----
***************
*** 4812,4817 ****
--- 4816,4822 ----
      xmlFree(ctxt->vstateTab);
      ctxt->vstateTab = NULL;
      }
+ #endif
      ctxt->nodeMax = 0;
      ctxt->nodeNr = 0;
      if (ctxt->nodeTab != NULL) {

-- 
Joe Marcus Clarke
FreeBSD GNOME Team      ::      marcus FreeBSD org
http://www.FreeBSD.org/gnome

Follow-Ups:
- Re: [xml] Core dump in DTD validate code in libxml2 2.4.25
  - From: Daniel Veillard

References:
- [xml] Core dump in DTD validate code in libxml2 2.4.25
  - From: Joe Marcus Clarke
- Re: [xml] Core dump in DTD validate code in libxml2 2.4.25
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]