(Repost) Re: [xml] Memory reference after xmlFree in XPath evaluation



[I posted this over a week ago but so for there has been no response. It is a test case demonstrating a potential memory reference after free problem I believe I have identified in XPath evaluation. This situation is causing me genuine problems using libxml2 and I have spent some time trying to track down the cause. I would appreciate some guidance either to patch libxml2 to cure the problem or alternatively, if anyone else on the list has encountered this, guidance as to how to structure the application to avoid the reference after free.]


Here is the test case for the reference after free problem.

I compiled the attached program using

gcc -c -g `xml2-config --cflags` xptest.c
gcc xptest.o `xml2-config --libs` -o xptest

running the compiled program gave me the following results :-

The XML file is constructed so that the first two cases produce the same output

$ ./xptest xptest.xml '//token'
<token>12345</token>
<token>abcdefg</token>
<token>67890</token>
<token>zyx</token>
<token>xyzzy</token>
<token>plugh</token>

$ ./xptest xptest.xml 'xp:tokenize(//string)'
<token>12345</token>
<token>abcdefg</token>
<token>67890</token>
<token>zyx</token>
<token>xyzzy</token>
<token>plugh</token>

Next verify the filter gives expected results

$ ./xptest xptest.xml '//token[position() mod 2 = 1]'
<token>12345</token>
<token>67890</token>
<token>xyzzy</token>

confidence check that filter works as expected on the value of a function returning a node-set

$ ./xptest xptest.xml 'xp:node-set(//token)[position() mod 2 = 1]'
<token>12345</token>
<token>67890</token>
<token>xyzzy</token>

so far so good, the next case should produce the same output as the previous one.

$ ./xptest xptest.xml 'xp:tokenize(//string)[position() mod 2 = 1]'
xmlEncodeEntitiesReentrant : input not UTF-8
<Ø&6 Ø&6@>
<text>&#144;&amp;6@&amp;6@</text>
</Ø&6 Ø&6@>
<À&6 À&6@>
<text>&amp;6@&amp;6 H</text>
</À&6 À&6@>
<Ø&6 Ø&6@>
<text>&amp;6@&amp;6 h</text>
</Ø&6 Ø&6@>

In this case output was corrupt - could just as easily have been a SIGSEGV.

Two possibilities: node persistence should be managed differently than in the test program. Since this is copied from libexslt, libexslt is buggy as is my code that is based on that methodology.

Otherwise, libexslt does persistence management as intended and libxml2's XPath evaluation is buggy as outlined in my original message,

Brian Stafford

Attachment: xptest.xml
Description: Text Data

Attachment: xptest.c
Description: Text Data



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]