[xml] an xpath segfault reproducible with xmllint

From: Petr Pajas <pajas ufal mff cuni cz>
To: xml gnome org
Subject: [xml] an xpath segfault reproducible with xmllint
Date: Tue, 3 Apr 2007 18:04:54 +0200

Hi Daniel, All,

I have experienced segfaults where just an error should be issued. After 
playing with the xpath for a while, I have narrowed it to the following test 
case:

xmllint --shell test.xml
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
XPath error : Invalid type
xmlXPathEval: 3 object left on the stack
Object is empty (NULL)
/ > xpath *[ a=name(concat(""))]
XPath error : Invalid number of arguments
Segmentation fault (SIGSEGV)

Notes:
1) test.xml can by any XML file

2) you may need to repeat the xpath query two or more times before it actually 
segfaults, but valgrind indicates a problem already during the first run

3) with just *[name("")] I have to repeat 3 times before it segfaults, but it 
does; valgrind shows a problem only on 1st run, though

4) name("") alone is ok (invalid type error is reported)

5) I'm running libxml2-2.6.27, openSuSE 10.2

-- Petr

Follow-Ups:
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Daniel Veillard
- Re: [xml] an xpath segfault reproducible with xmllint
  - From: Pavol Rusnak

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]