178167 – xsltproc calls free() on invalid memory when given a custom XSLT that imports profile-htmlhelp.xsl

Bug 178167 - xsltproc calls free() on invalid memory when given a custom XSLT that imports profile-htmlhelp.xsl

Summary: xsltproc calls free() on invalid memory when given a custom XSLT that imports...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libxslt
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Veillard
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-01-18 06:36 UTC by David Costanzo
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-01-19 08:44:45 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
htmlhelp.xsl - style sheet that causes the invalid free (202 bytes, text/plain) 2006-01-18 06:38 UTC, David Costanzo	no flags	Details
logohelp.xml -- DocBook XML that reproduces the crash (186 bytes, text/plain) 2006-01-18 06:43 UTC, David Costanzo	no flags	Details
View All

Description David Costanzo 2006-01-18 06:36:52 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
I wrote some documentation in DocBook and convert it to HTML Help using xsltproc.  Everything works fine when I use /usr/share/sgml/docbook/xsl-stylesheets-1.68.1-1/htmlhelp/profile-htmlhelp.xsl from docbook-style-xsl-1.68.1-1 as my style sheet.  However, when I use a style sheet that includes that one, xsltproc crashes.  According to glibc, xsltproc calls free on invalid memory (glibc catches and then aborts).


Version-Release number of selected component (if applicable):
libxslt-1.1.14-2

How reproducible:
Always

Steps to Reproduce:
1. Download attachements.
2. Execute  xsltproc --nonet htmlhelp.xsl logohelp.xml

  

Actual Results:  xsltproc processes that XML file, then aborts.  glibc complains that xsltproc called free() on invalid memory.

Expected Results:  xsltproc processes the XML file (or displays a sensible error message).

Additional info:

The following command:

   xsltproc --nonet htmlhelp.xsl  logohelp.xml

Produces the following output:

  Writing index.html for book
  Writing htmlhelp.hhp
  *** glibc detected *** xsltproc: free(): invalid pointer: 0xb7eec4ed ***
  ======= Backtrace: =========
  /lib/libc.so.6[0xacb384]
  /lib/libc.so.6(__libc_free+0x77)[0xacb8bf]
  /usr/lib/libxml2.so.2(xmlFreeNode+0x1ce)[0x7cc8b66]
  /usr/lib/libxml2.so.2(xmlAddChild+0x147)[0x7ccbcc1]
  /usr/lib/libxslt.so.1[0x122dc9]
  /usr/lib/libxslt.so.1[0x123d63]
  /usr/lib/libxslt.so.1(xsltIf+0x1c8)[0x1286c1]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1(xsltCallTemplate+0x116)[0x1274c3]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1[0x114611]
  /usr/lib/libxslt.so.1[0x1153b7]
  /usr/lib/libxslt.so.1(xsltCallTemplate+0x16f)[0x12751c]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1(xsltCallTemplate+0x116)[0x1274c3]
  /usr/lib/libxslt.so.1[0x1238b0]
  /usr/lib/libxslt.so.1[0x12982f]
  xsltproc[0x8049968]
  xsltproc[0x804a40d]
  /lib/libc.so.6(__libc_start_main+0xc6)[0xa7cd46]
  xsltproc(xmlNoNetExternalEntityLoader+0x149)[0x8049361]
  ======= Memory map: ========
  00101000-00133000 r-xp 00000000 fd:00 3717837    /usr/lib/libxslt.so.1.1.14
  00133000-00134000 rwxp 00032000 fd:00 3717837    /usr/lib/libxslt.so.1.1.14
  00134000-00146000 r-xp 00000000 fd:00 3717066    /usr/lib/libz.so.1.2.2.2
  00146000-00147000 rwxp 00011000 fd:00 3717066    /usr/lib/libz.so.1.2.2.2
  003c8000-003c9000 r-xp 003c8000 00:00 0          [vdso]
  008e8000-008eb000 r-xp 00000000 fd:00 3711968      /usr/lib/libgpg-error.so.0.1.3
  008eb000-008ec000 rwxp 00002000 fd:00 3711968      /usr/lib/libgpg-error.so.0.1.3
  00a4a000-00a64000 r-xp 00000000 fd:00 22413331   /lib/ld-2.3.5.so
  00a64000-00a65000 r-xp 00019000 fd:00 22413331   /lib/ld-2.3.5.so
  00a65000-00a66000 rwxp 0001a000 fd:00 22413331   /lib/ld-2.3.5.so
  00a68000-00b8c000 r-xp 00000000 fd:00 22413337   /lib/libc-2.3.5.so
  00b8c000-00b8e000 r-xp 00124000 fd:00 22413337   /lib/libc-2.3.5.so
  00b8e000-00b90000 rwxp 00126000 fd:00 22413337   /lib/libc-2.3.5.so
  00b90000-00b92000 rwxp 00b90000 00:00 0
  00b94000-00bb6000 r-xp 00000000 fd:00 22413364   /lib/libm-2.3.5.so
  00bb6000-00bb7000 r-xp 00021000 fd:00 22413364   /lib/libm-2.3.5.so
  00bb7000-00bb8000 rwxp 00022000 fd:00 22413364   /lib/libm-2.3.5.so
  00bba000-00bbc000 r-xp 00000000 fd:00 22413358   /lib/libdl-2.3.5.so
  00bbc000-00bbd000 r-xp 00001000 fd:00 22413358   /lib/libdl-2.3.5.so
  00bbd000-00bbe000 rwxp 00002000 fd:00 22413358   /lib/libdl-2.3.5.so
  00bc0000-00bd0000 r-xp 00000000 fd:00 3709429    /usr/lib/libexslt.so.0.8.12
  00bd0000-00bd1000 rwxp 0000f000 fd:00 3709429    /usr/lib/libexslt.so.0.8.12
  00db1000-00dbf000 r-xp 00000000 fd:00 22413376   /lib/libpthread-2.3.5.so
  00dbf000-00dc0000 r-xp 0000d000 fd:00 22413376   /lib/libpthread-2.3.5.so
  00dc0000-00dc1000 rwxp 0000e000 fd:00 22413376   /lib/libpthread-2.3.5.so
  00dc1000-00dc3000 rwxp 00dc1000 00:00 0
  00dc5000-00dce000 r-xp 00000000 fd:00 22413327   /lib/libgcc_s-4.0.2-20051126.so.1
  00dce000-00dcf000 rwxp 00009000 fd:00 22413327   /lib/libgcc_s-4.0.2-20051126.so.1
  0541f000-05466000 r-xp 00000000 fd:00 3706853    /usr/lib/libgcrypt.so.11.2.0
  05466000-0546b000 rwxp 00047000 fd:00 3706853    /usr/lib/libgcrypt.so.11.2.0
  058e6000-058f8000 r-xp 00000000 fd:00 22413352   /lib/libnsl-2.3.5.so
  058f8000-058f9000 r-xp 00011000 fd:00 22413352   /lib/libnsl-2.3.5.so
  058f9000-058fa000 rwxp 00012000 fd:00 22413352   /lib/libnsl-2.3.5.so
  058fa000-058fc000 rwxp 058fa000 00:00 0
  07c8e000-07da1000 r-xp 00000000 fd:00 3713164    /usr/lib/libxml2.so.2.6.20
  07da1000-07da9000 rwxp 00113000 fd:00 3713164    /usr/lib/libxml2.so.2.6.20
  07da9000-07daa000 rwxp 07da9000 00:00 0
  08048000-0804c000 r-xp 00000000 fd:00 3717694    /usr/bin/xsltproc
  0804c000-0804e000 rw-p 00003000 fd:00 3717694    /usr/bin/xsltproc
  09df9000-0d4f4000 rw-p 09df9000 00:00 0          [heap]
  b7c00000-b7c21000 rw-p b7c00000 00:00 0
  b7c21000-b7d00000 ---p b7c21000 00:00 0
  b7db5000-b7e16000 rw-p b7db5000 00:00 0
  b7e90000-b7f36000 rw-p b7e90000 00:00 0
  bff35000-bff4b000 rw-p bff35000 00:00 0          [stack]
zsh: abort      xsltproc --nonet htmlhelp.xsl logohelp.xml

Comment 1 David Costanzo 2006-01-18 06:38:36 UTC

Created attachment 123357 [details]
htmlhelp.xsl - style sheet that causes the invalid free

Comment 2 David Costanzo 2006-01-18 06:43:37 UTC

Created attachment 123358 [details]
logohelp.xml -- DocBook XML that reproduces the crash

logohelp.xml is an XML that reproduces the invalid free().  logohelp.xml used
to be much more complicated, but I cut it down to a reasonable size for a
repro.	The resulting XML may be invalid DocBook, but the invalid free() will
also happen on valid DocBook XML.  It not happen on badly-formed XML.

Comment 3 Daniel Veillard 2006-01-18 10:47:04 UTC

Try to update your libxml2 and libxslt to the latest versions (2.6.23 and
1.1.15) from ftp://xmlsoft.org/ and see if it solves it. 
This depends a lot on other parts of your infrastructure, like which stylesheets
for DocBook transformations your are using, and that is not part of my
environment.

Daniel

Comment 4 David Costanzo 2006-01-19 08:27:54 UTC

I have confirmed that the invalid free() is NOT reproducible with these packages:

  libxml2-2.6.23-1
  libxslt-1.1.15-1

Thanks for the tip, Daniel.

Comment 5 Daniel Veillard 2006-01-19 08:44:45 UTC

okay, it's probably not worth pushing an update to FC4, and those versions are
in rawhide, so it will be fixed in FC5

Daniel

Note You need to log in before you can comment on or make changes to this bug.