[xml] xmlNodeDumpOutput appears to corrupt data; crash follows in xmlStrEqual

From: gk <gk proliberty com>
To: "xml gnome org" <xml gnome org>
Subject: [xml] xmlNodeDumpOutput appears to corrupt data; crash follows in xmlStrEqual
Date: Tue, 07 Jan 2003 19:11:18 -0800

I am using libxml2-2.4.30 library with:
 PHP 4.3.1
linux; kernel 2.4.18

I have found segmentation fault results from calling dump_node($node) withany xml node that includes an attribute.

Ilia, at PHP.net has examined my backtrace and believes libxml2 is causingthe crash since he cannot reproduce this with the same version of PHP anddifferent version of libxml2.


Please let me know if I can offer further info/testing.
Backtrace follows, with original php code at the end.
- Greg Keraunen

From: "Ilia A." <ilia prohost org>
To: gk <gk proliberty com>

Subject: Re: backtrace - Re: Bug #21477 [Opn->Fbk]:$node->dump_node($node) crashes

Date: Tue, 7 Jan 2003 21:33:13 -0500
X-Mailer: KMail [version 1.4]
X-Envelope-To: gk proliberty com

Thank you for the detailed information, it looks like my initial conclusion
that this is a bug in domxml rather then PHP is correct. The function that
appears to corrupt the data, 'xmlNodeDumpOutput' is not a PHP function but
rather a domxml one so is xmlIsXHTML() and xmlStrEqual() which is what
actually crashes. My suggestion is that you contact domxml developers with
this very backtrace, hopefuly they'll be able to assist you.

Ilia



On January 7, 2003 09:34 pm, you wrote:
> Dear Ilia,
> Here is some more gdb output that might help.
>
> (gdb) info stack
> #0  xmlStrEqual (str1=0x3 <Address 0x3 out of bounds>,
>      str2=0x401632e0 "-//W3C//DTD XHTML 1.0 Strict//EN") at parser.c:1293
> #1  0x4010d834 in xmlIsXHTML (systemID=0x4015e9c0 "text",
>      publicID=0x3 <Address 0x3 out of bounds>) at tree.c:6728
> #2  0x4010d586 in xmlNodeDumpOutput (buf=0x81eadf8, doc=0x81f78a8,
>      cur=0x81f78a8, level=0, format=0, encoding=0x0) at tree.c:6599
> #3  0x4010cc72 in xmlNodeDump (buf=0x81eeaa0, doc=0x81f78a8, cur=0x81f78a8,
>      level=0, format=0) at tree.c:6164
> #4  0x080706ab in zif_domxml_dump_node (ht=1, return_value=0x81f584c,
>      this_ptr=0x81f3104, return_value_used=1)
>      at
> /home/greg/new/php4-STABLE-200301070230/ext/domxml/php_domxml.c:3697 #5
> 0x0815576f in execute (op_array=0x81f27ac)
>      at /home/greg/new/php4-STABLE-200301070230/Zend/zend_execute.c:1596
> #6  0x08145756 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
>      at /home/greg/new/php4-STABLE-200301070230/Zend/zend.c:864
> #7  0x08115afd in php_execute_script (primary_file=0xbffff880)
>      at /home/greg/new/php4-STABLE-200301070230/main/main.c:1573
> #8  0x0815b134 in main (argc=3, argv=0xbffff924)
>      at /home/greg/new/php4-STABLE-200301070230/sapi/cli/php_cli.c:746
> #9  0x401a0507 in __libc_start_main (main=0x815a83c <main>, argc=3,
>      ubp_av=0xbffff924, init=0x8061588 <_init>, fini=0x815b7d0 <_fini>,
>      rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffff91c)
>      at ../sysdeps/generic/libc-start.c:129
> (gdb)
>


PHP code which causes the crash:
<?php

// this text causes crash:
$with_attr=<<<eot
<node attr="test"><test>hi</test>
</node>
eot;
// this text avoids crash:
$without_attr=<<<eot
<node><test>hi</test>
</node>
eot;
// using $with_attr causes crash:
$xml=$with_attr;
// using $without_attr doesn't crash:
// $xml=$without_attr;
$doc = domxml_open_mem($xml);
$root=$doc->root();
// the following dump_node() call fails:
$nodeContent =$root->dump_node($root);
// the following dump_mem() call succeeds, using $with_attr:
//$nodeContent =$doc->dump_mem();
echo htmlentities($nodeContent);
// php appears to have crashed; the following text is not printed:
echo "hi";
?>


- Greg Keraunen

Follow-Ups:
- Re: [xml] xmlNodeDumpOutput appears to corrupt data; crash follows in xmlStrEqual
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]