203125 – PHP crashes when validating with errors

Bug 203125 - PHP crashes when validating with errors

Summary: PHP crashes when validating with errors

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	libxml2
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Veillard
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	461607
TreeView+	depends on / blocked

Reported:	2006-08-18 14:57 UTC by Bastien Nocera
Modified:	2008-09-09 12:52 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHBA-2007-0195
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-01 22:46:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
test.c (2.96 KB, text/x-csrc) 2006-08-18 14:57 UTC, Bastien Nocera	no flags	Details
patch to avoid modifying an immutable buffer on iconv errors (566 bytes, patch) 2006-08-18 15:13 UTC, Daniel Veillard	no flags	Details \| Diff
libxml2-encoding-warning-crasher.patch (406 bytes, patch) 2006-08-21 12:13 UTC, Bastien Nocera	no flags	Details \| Diff
the real fix for this problem (2.03 KB, patch) 2006-08-22 14:28 UTC, Daniel Veillard	no flags	Details \| Diff
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0195	0	normal	SHIPPED_LIVE	libxml2 bug fix update	2007-04-27 20:43:08 UTC

Description Bastien Nocera 2006-08-18 14:57:10 UTC

php-4.3.9-3.15
libxml2-2.6.16-6

This was the original test case. 3 files:
test.php:
<?
       $dom = domxml_open_file("test.xml", DOMXML_LOAD_VALIDATING);
       var_dump($err);
?>

test.xml:
<?xml version="1.0"?>
<!DOCTYPE DAUGHTERPAGE SYSTEM 'syntax.dtd'>
<DAUGHTERPAGE version="2">
<INFOBLOCK>
</INFOBLOCK>
</DAUGHTERPAGE>

syntax.dtd:
<!ELEMENT DAUGHTERPAGE  (INFOBLOCK? )>
<!ATTLIST DAUGHTERPAGE  version CDATA  #IMPLIED >

Running "php test.php" will result in a segfault. I reproduced the issue
mimicking php's php_domxml plugin in a C testcase (attached below, along with
the produced backtrace)

The problem doesn't exist with a current libxml2 from upstream.

Comment 1 Bastien Nocera 2006-08-18 14:57:11 UTC

Created attachment 134446 [details]
test.c

Comment 2 Daniel Veillard 2006-08-18 15:11:37 UTC

Okay, I can reproduce this on RHEL4, I will try to come with a patch shortly,

Daniel

Comment 3 Daniel Veillard 2006-08-18 15:13:35 UTC

Created attachment 134449 [details]
patch to avoid modifying an immutable buffer on iconv errors

Comment 4 Daniel Veillard 2006-08-18 15:15:32 UTC

I think the customer is hitting
  http://bugzilla.gnome.org/show_bug.cgi?id=340398
which was fixed by the patch attached 134449

Can you try to rebuild a RHEL4 package with it ? Or should I ?

Daniel

Comment 5 Bastien Nocera 2006-08-18 15:28:31 UTC

Sebastien is testing this now.

Comment 6 Jay Turner 2006-08-21 01:44:03 UTC

QE ack for 4.5.

Comment 7 Bastien Nocera 2006-08-21 12:13:18 UTC

Created attachment 134556 [details]
libxml2-encoding-warning-crasher.patch

Updated patch that applies against libxml2-2.6.16-6

Comment 8 Bastien Nocera 2006-08-21 12:14:46 UTC

The patch doesn't work though:
#1  0x00d017eb in xmlResetError__internal_alias (err=0xbfe22d80) at error.c:856
#2  0x00d0199d in __xmlRaiseError (schannel=0,
    channel=0x80484fc <domxml_error_validate>, data=0xbfe22c00,
    ctx=0xbfe22c00, nod=0x8512dd8, domain=23, code=534, level=XML_ERR_ERROR,
    file=0x1000 <Address 0x1000 out of bounds>, line=100,
    str1=0x8512e18 "INFOBLOCK", str2=0x8512e18 "INFOBLOCK", str3=0x0, int1=0,
    int2=0, msg=0xdbe9a8 "No declaration for element %s\n") at error.c:528
#3  0x00d2ebe3 in xmlErrValidNode (ctxt=Variable "ctxt" is not available.
) at valid.c:152
#4  0x00d35323 in xmlValidGetElemDecl (ctxt=0x8509074, doc=0x8512988,
    elem=0x8512dd8, extsubset=0xbfe2025c) at valid.c:5455
#5  0x00d35b75 in xmlValidateOneElement__internal_alias (ctxt=0x8509074,
    doc=0x8512988, elem=0x8512dd8) at valid.c:5791
#6  0x00dada5a in xmlSAX2EndElementNs__internal_alias (ctx=0x8509008,
    localname=0x85125d0 "INFOBLOCK", prefix=0x0, URI=0x0) at SAX2.c:2215
#7  0x00d0e632 in xmlParseEndTag2 (ctxt=0x8509008, prefix=0x0,
    URI=0x449804 "", line=4495364, nsNr=0, tlen=9) at parser.c:7751
#8  0x00d1918c in xmlParseElement__internal_alias (ctxt=0x8509008)
    at parser.c:8086
#9  0x00d17976 in xmlParseContent__internal_alias (ctxt=0x8509008)
    at parser.c:7905
#10 0x00d1912f in xmlParseElement__internal_alias (ctxt=0x8509008)
    at parser.c:8065
#11 0x00d19887 in xmlParseDocument__internal_alias (ctxt=0x8509008)
    at parser.c:8666
#12 0x080485d5 in main (argc=1, argv=0xbfe35704) at test.c:59

Comment 9 Daniel Veillard 2006-08-21 13:01:59 UTC

Works for me ! Compiling tst.c on a 2.6.16 build (static to make sure it uses 
the right libs):

  before applying the patch

(gdb) r
Starting program: /u/veillard/rpms/BUILD/libxml2-2.6.16/tst
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xd41000
[Thread debugging using libthread_db enabled]
[New Thread -1208100656 (LWP 30686)]
output conversion failed due to conv error
Bytes: 0xFF 0xFF 0xFF 0xFF

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208100656 (LWP 30686)]
0x0804b468 in xmlCharEncOutFunc (handler=0x8f1d5f8, out=0x8f1d620,
    in=0x8f2e680) at encoding.c:2063
2063                    in->content[0] = ' ';

 after applying the patch

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target memory": File in wrong format
`/u/veillard/rpms/BUILD/libxml2-2.6.16/tst' has changed; re-reading symbols.

Starting program: /u/veillard/rpms/BUILD/libxml2-2.6.16/tst
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xd41000
output conversion failed due to conv error
Bytes: 0xFF 0xFF 0xFF 0xFF
error: -2

Program exited normally.
(gdb)

   Where is the stack trace from #8 coming from ?

Daniel

Comment 10 Bastien Nocera 2006-08-21 14:45:36 UTC

Looking at it, I don't really see what the patch(es) have to do with the problem.
The stack trace in comment #8 is the same one as in the attachment, and has to
do with the error handling.

I tested this on a RHEL4 with libxml2-2.6.16-6.test (libxml2-2.6.16-6 + patch
from comment #7).

Here's the interesting bits of the valgrind output:
==21663== Conditional jump or move depends on uninitialised value(s)
==21663==    at 0x403C728: __xmlRaiseError (error.c:498)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Use of uninitialised value of size 4
==21663==    at 0x403C72F: __xmlRaiseError (error.c:498)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Conditional jump or move depends on uninitialised value(s)
==21663==    at 0x403C747: __xmlRaiseError (error.c:502)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Use of uninitialised value of size 4
==21663==    at 0x403C74E: __xmlRaiseError (error.c:503)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Use of uninitialised value of size 4
==21663==    at 0x403C751: __xmlRaiseError (error.c:504)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1B3: xmlResetError (error.c:852)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x64 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1C5: xmlResetError (error.c:854)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x8048034 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1D7: xmlResetError (error.c:856)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1E9: xmlResetError (error.c:858)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x5 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1FB: xmlResetError (error.c:860)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x7 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid read of size 1
==21663==    at 0x40A350B: xmlStrdup (xmlstring.c:70)
==21663==    by 0x403C392: __xmlRaiseError (error.c:534)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==  Address 0x1000 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Process terminating with default action of signal 11 (SIGSEGV)
==21663==  Access not within mapped region at address 0x1000
==21663==    at 0x40A350B: xmlStrdup (xmlstring.c:70)
==21663==    by 0x403C392: __xmlRaiseError (error.c:534)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)

Comment 11 Daniel Veillard 2006-08-22 14:28:48 UTC

Created attachment 134638 [details]
the real fix for this problem

Comment 12 Daniel Veillard 2006-08-22 14:32:04 UTC

The bug was still in upstream, I can certify the php wrapper was not
tested for DTD validation in the last year or so, bad code, but libxml2
is at fault too, more complex than it should :-\

test works for me on 32 and 64 bits boxes, RHEL4 libxml2-2.6.16-6 and
for upstream, also tested on valgrind with the test program but not with
php itself.

Daniel

Comment 14 Bastien Nocera 2006-08-23 10:50:22 UTC

Patch fixes the problem, thanks.

Comment 15 Daniel Riek 2006-08-29 14:31:17 UTC

The component of this request is planned to be updated in Red Hat enterprise
Linux 4.5.

This enhancement request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux maintenance release.

Product Management has requested further review of this request by Red Hat
Engineering, for potential inclusion in a Red Hat Enterprise Linux Update
release for currently deployed products.

This request is not yet committed for inclusion in an Update release.

Comment 16 Daniel Veillard 2006-12-12 11:08:42 UTC

452596 build (dist-4E-qu-candidate, RHEL-4:libxml2-2_6_16-8)

A version with the fix has been built in dist-4E-qu-candidate,

Daniel

Comment 20 Red Hat Bugzilla 2007-05-01 22:46:24 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0195.html

Comment 21 Issue Tracker 2007-07-03 14:16:40 UTC

Hi,

This issue is fixed so I close this IT.

Thanks,

Sebastien.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 4.5'

This event sent from IssueTracker by saime 
 issue 100135

Note You need to log in before you can comment on or make changes to this bug.