Re: [xml] stack corruption (2.5.4)

From: Gary Pennington sun com
To: Daniel Veillard <veillard redhat com>
Cc: Petr Pajas <pajas ufal ms mff cuni cz>, xml gnome org
Subject: Re: [xml] stack corruption (2.5.4)
Date: Thu, 1 May 2003 17:41:11 +0100

I'm not sure if this is of interest to the general public or not, but I'll
mail the list anyway since it may be useful to someone.

I tried applying the patches, to fix the 2 ParseDTD routines and to
prevent manipulating doc if it isn't set, to 2.5.4 this morning. I hoped
that it would cure my problem (as it did when applied to 2.5.7 yesterday.)

The bad news is that it didn't. I still get a corrupt stack, so I
guess other fixes must have been introduced since 2.5.4 that are required
as well as the patches above.

I'd like to be able to move onto a newer release of libxml2 (2.5.8 I guess)
but unfortunately that's not a straightforward option for me right now. I'm
going to keep investigating the 2.5.4 bug, so any further pointers as to
things worth looking at would be appreciated.

The only other news I have is that it appears that the problem only manifests
itself if xmlValidateDocument() is called, then nodes are added and then
xmlValidateDocument() is called again. Just to be clear, I am no longer
executing the code to put in a DTD, I'm just calling xmlValidateDocument()
and ignoring the error messages. 

If I don't make the second call to xmlValidateDocument() then I don't get a
problem. (or maybe I do, but it isn't visible).

Gary

On Wed, Apr 30, 2003 at 12:08:38PM -0400, Daniel Veillard wrote:

On Wed, Apr 30, 2003 at 04:02:27PM +0100, Gary Pennington sun com wrote:

On Wed, Apr 30, 2003 at 03:55:43PM +0100, Gary Pennington sun com wrote:

Ok, we've got a reproducible test case and I have some information.

If we apply the patch you sent out, then the stack corruption problem
disappears but we get a core dump when the document is freed.

This problem is caused by the following line in the patch:

  ret->doc = NULL;

This will set the external subset of the document to have a null pointer.

In xmlUnlinkNode(), the following line causes the SIGSEGV:

    if (cur->type == XML_DTD_NODE) {
  xmlDocPtr doc;
  doc = cur->doc;
  if (doc->intSubset == (xmlDtdPtr) cur)
            doc->intSubset = NULL;
   if (doc->extSubset == (xmlDtdPtr) cur) <== SIGSEGV HERE


Oops, I of course meant SIGSEGV on the above line.


  Okay, that's a libxml2 bug too. It get a pointer and dereference it
without checking it first against NULL, that part should really be:

    if (cur->type == XML_DTD_NODE) {
        xmlDocPtr doc;
        doc = cur->doc;
        if (doc != NULL) {
            if (doc->intSubset == (xmlDtdPtr) cur)
                doc->intSubset = NULL;
            if (doc->extSubset == (xmlDtdPtr) cur)
                doc->extSubset = NULL;
        }
    }

  thanks for spotting this out.

Daniel

-- 
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/


-- 
Gary Pennington
Solaris Kernel Development,
Sun Microsystems
Gary Pennington sun com

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]