I attach a simple python script (libxml2_crash.py) that seems to
reference uninitialised memory, or crash the interpreter.
Run on various setups, the results were (using ï for random junk char):
* debian stable (2.6.27 plus security patches and py 2.4):
segfault
* win32 (2.6.30 and py 2.4):
xmlns:ïïï="ïïï"
xmlns:ïïï="ïïï"
* gentoo unstable (2.6.31 and py 2.5)
xmlns:ïïï="ïïï"
TypeError: __str__ returned non-string (type NoneType)
* same but sparc:
bus error (I'm told "most likely a segfault that falls unaligned")
It's not just the serialisation that's borked, any property reference
- including the repr (which uses xmlNs.name) - can return junk or
boom. More complicated documents crash in different places, or
traceback when trying to construct the python xmlNs wrapper in
nodeWrap (line 550) with:
if name[0:8] == "document":
TypeError: unsubscriptable object
(That may not be related, seems that xmlNs.name is ns->prefix which is
allowed to be NULL -> None -> unsubscriptable, no?)
However xmlNs nodes are constructed fine through xmlNode.ns so it
seems to be an xpath related problem. I could find nothing that seemed
to be related in recent changelog or bugtracker. Is this a real issue
that's just gone unnoticed?
I tried the simplest C equivalent I could cook up from the docs
(attached libxml2_nocrash.c) which behaves itself, perhaps suggesting
the problem's in the python bindings. Could someone with a good
understanding of the lib can get a better idea of what exactly is up?
Martin
Attachment:
libxml2_crash.py
Description: Text Data
Attachment:
libxml2_nocrash.c
Description: Text Data