Bug 178167

Summary: xsltproc calls free() on invalid memory when given a custom XSLT that imports profile-htmlhelp.xsl
Product: [Fedora] Fedora Reporter: David Costanzo <david_costanzo>
Component: libxsltAssignee: Daniel Veillard <veillard>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-19 08:44:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
htmlhelp.xsl - style sheet that causes the invalid free
none
logohelp.xml -- DocBook XML that reproduces the crash none

Description David Costanzo 2006-01-18 06:36:52 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
I wrote some documentation in DocBook and convert it to HTML Help using xsltproc.  Everything works fine when I use /usr/share/sgml/docbook/xsl-stylesheets-1.68.1-1/htmlhelp/profile-htmlhelp.xsl from docbook-style-xsl-1.68.1-1 as my style sheet.  However, when I use a style sheet that includes that one, xsltproc crashes.  According to glibc, xsltproc calls free on invalid memory (glibc catches and then aborts).


Version-Release number of selected component (if applicable):
libxslt-1.1.14-2

How reproducible:
Always

Steps to Reproduce:
1. Download attachements.
2. Execute  xsltproc --nonet htmlhelp.xsl logohelp.xml

  

Actual Results:  xsltproc processes that XML file, then aborts.  glibc complains that xsltproc called free() on invalid memory.

Expected Results:  xsltproc processes the XML file (or displays a sensible error message).

Additional info:

The following command:

   xsltproc --nonet htmlhelp.xsl  logohelp.xml

Produces the following output:

  Writing index.html for book
  Writing htmlhelp.hhp
  *** glibc detected *** xsltproc: free(): invalid pointer: 0xb7eec4ed ***
  ======= Backtrace: =========
  /lib/libc.so.6[0xacb384]
  /lib/libc.so.6(__libc_free+0x77)[0xacb8bf]
  /usr/lib/libxml2.so.2(xmlFreeNode+0x1ce)[0x7cc8b66]
  /usr/lib/libxml2.so.2(xmlAddChild+0x147)[0x7ccbcc1]
  /usr/lib/libxslt.so.1[0x122dc9]
  /usr/lib/libxslt.so.1[0x123d63]
  /usr/lib/libxslt.so.1(xsltIf+0x1c8)[0x1286c1]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1(xsltCallTemplate+0x116)[0x1274c3]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1[0x114611]
  /usr/lib/libxslt.so.1[0x1153b7]
  /usr/lib/libxslt.so.1(xsltCallTemplate+0x16f)[0x12751c]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1(xsltCallTemplate+0x116)[0x1274c3]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1[0x12982f]
  xsltproc[0x8049968]
  xsltproc[0x804a40d]
  /lib/libc.so.6(__libc_start_main+0xc6)[0xa7cd46]
  xsltproc(xmlNoNetExternalEntityLoader+0x149)[0x8049361]
  ======= Memory map: ========
  00101000-00133000 r-xp 00000000 fd:00 3717837    /usr/lib/libxslt.so.1.1.14
  00133000-00134000 rwxp 00032000 fd:00 3717837    /usr/lib/libxslt.so.1.1.14
  00134000-00146000 r-xp 00000000 fd:00 3717066    /usr/lib/libz.so.1.2.2.2
  00146000-00147000 rwxp 00011000 fd:00 3717066    /usr/lib/libz.so.1.2.2.2
  003c8000-003c9000 r-xp 003c8000 00:00 0          [vdso]
  008e8000-008eb000 r-xp 00000000 fd:00 3711968      /usr/lib/libgpg-error.so.0.1.3
  008eb000-008ec000 rwxp 00002000 fd:00 3711968      /usr/lib/libgpg-error.so.0.1.3
  00a4a000-00a64000 r-xp 00000000 fd:00 22413331   /lib/ld-2.3.5.so
  00a64000-00a65000 r-xp 00019000 fd:00 22413331   /lib/ld-2.3.5.so
  00a65000-00a66000 rwxp 0001a000 fd:00 22413331   /lib/ld-2.3.5.so
  00a68000-00b8c000 r-xp 00000000 fd:00 22413337   /lib/libc-2.3.5.so
  00b8c000-00b8e000 r-xp 00124000 fd:00 22413337   /lib/libc-2.3.5.so
  00b8e000-00b90000 rwxp 00126000 fd:00 22413337   /lib/libc-2.3.5.so
  00b90000-00b92000 rwxp 00b90000 00:00 0
  00b94000-00bb6000 r-xp 00000000 fd:00 22413364   /lib/libm-2.3.5.so
  00bb6000-00bb7000 r-xp 00021000 fd:00 22413364   /lib/libm-2.3.5.so
  00bb7000-00bb8000 rwxp 00022000 fd:00 22413364   /lib/libm-2.3.5.so
  00bba000-00bbc000 r-xp 00000000 fd:00 22413358   /lib/libdl-2.3.5.so
  00bbc000-00bbd000 r-xp 00001000 fd:00 22413358   /lib/libdl-2.3.5.so
  00bbd000-00bbe000 rwxp 00002000 fd:00 22413358   /lib/libdl-2.3.5.so
  00bc0000-00bd0000 r-xp 00000000 fd:00 3709429    /usr/lib/libexslt.so.0.8.12
  00bd0000-00bd1000 rwxp 0000f000 fd:00 3709429    /usr/lib/libexslt.so.0.8.12
  00db1000-00dbf000 r-xp 00000000 fd:00 22413376   /lib/libpthread-2.3.5.so
  00dbf000-00dc0000 r-xp 0000d000 fd:00 22413376   /lib/libpthread-2.3.5.so
  00dc0000-00dc1000 rwxp 0000e000 fd:00 22413376   /lib/libpthread-2.3.5.so
  00dc1000-00dc3000 rwxp 00dc1000 00:00 0
  00dc5000-00dce000 r-xp 00000000 fd:00 22413327   /lib/libgcc_s-4.0.2-20051126.so.1
  00dce000-00dcf000 rwxp 00009000 fd:00 22413327   /lib/libgcc_s-4.0.2-20051126.so.1
  0541f000-05466000 r-xp 00000000 fd:00 3706853    /usr/lib/libgcrypt.so.11.2.0
  05466000-0546b000 rwxp 00047000 fd:00 3706853    /usr/lib/libgcrypt.so.11.2.0
  058e6000-058f8000 r-xp 00000000 fd:00 22413352   /lib/libnsl-2.3.5.so
  058f8000-058f9000 r-xp 00011000 fd:00 22413352   /lib/libnsl-2.3.5.so
  058f9000-058fa000 rwxp 00012000 fd:00 22413352   /lib/libnsl-2.3.5.so
  058fa000-058fc000 rwxp 058fa000 00:00 0
  07c8e000-07da1000 r-xp 00000000 fd:00 3713164    /usr/lib/libxml2.so.2.6.20
  07da1000-07da9000 rwxp 00113000 fd:00 3713164    /usr/lib/libxml2.so.2.6.20
  07da9000-07daa000 rwxp 07da9000 00:00 0
  08048000-0804c000 r-xp 00000000 fd:00 3717694    /usr/bin/xsltproc
  0804c000-0804e000 rw-p 00003000 fd:00 3717694    /usr/bin/xsltproc
  09df9000-0d4f4000 rw-p 09df9000 00:00 0          [heap]
  b7c00000-b7c21000 rw-p b7c00000 00:00 0
  b7c21000-b7d00000 ---p b7c21000 00:00 0
  b7db5000-b7e16000 rw-p b7db5000 00:00 0
  b7e90000-b7f36000 rw-p b7e90000 00:00 0
  bff35000-bff4b000 rw-p bff35000 00:00 0          [stack]
zsh: abort      xsltproc --nonet htmlhelp.xsl logohelp.xml
Comment 1 David Costanzo 2006-01-18 06:38:36 UTC 
Created attachment 123357 [details]
htmlhelp.xsl - style sheet that causes the invalid free
Comment 2 David Costanzo 2006-01-18 06:43:37 UTC 
Created attachment 123358 [details]
logohelp.xml -- DocBook XML that reproduces the crash

logohelp.xml is an XML that reproduces the invalid free().  logohelp.xml used
to be much more complicated, but I cut it down to a reasonable size for a
repro.	The resulting XML may be invalid DocBook, but the invalid free() will
also happen on valid DocBook XML.  It not happen on badly-formed XML.
Comment 3 Daniel Veillard 2006-01-18 10:47:04 UTC 
Try to update your libxml2 and libxslt to the latest versions (2.6.23 and
1.1.15) from ftp://xmlsoft.org/ and see if it solves it. 
This depends a lot on other parts of your infrastructure, like which stylesheets
for DocBook transformations your are using, and that is not part of my
environment.

Daniel
Comment 4 David Costanzo 2006-01-19 08:27:54 UTC 
I have confirmed that the invalid free() is NOT reproducible with these packages:

  libxml2-2.6.23-1
  libxslt-1.1.15-1

Thanks for the tip, Daniel.
Comment 5 Daniel Veillard 2006-01-19 08:44:45 UTC 
okay, it's probably not worth pushing an update to FC4, and those versions are
in rawhide, so it will be fixed in FC5

Daniel