php-4.3.9-3.15 libxml2-2.6.16-6 This was the original test case. 3 files: test.php: <? $dom = domxml_open_file("test.xml", DOMXML_LOAD_VALIDATING); var_dump($err); ?> test.xml: <?xml version="1.0"?> <!DOCTYPE DAUGHTERPAGE SYSTEM 'syntax.dtd'> <DAUGHTERPAGE version="2"> <INFOBLOCK> </INFOBLOCK> </DAUGHTERPAGE> syntax.dtd: <!ELEMENT DAUGHTERPAGE (INFOBLOCK? )> <!ATTLIST DAUGHTERPAGE version CDATA #IMPLIED > Running "php test.php" will result in a segfault. I reproduced the issue mimicking php's php_domxml plugin in a C testcase (attached below, along with the produced backtrace) The problem doesn't exist with a current libxml2 from upstream.
Created attachment 134446 [details] test.c
Okay, I can reproduce this on RHEL4, I will try to come with a patch shortly, Daniel
Created attachment 134449 [details] patch to avoid modifying an immutable buffer on iconv errors
I think the customer is hitting http://bugzilla.gnome.org/show_bug.cgi?id=340398 which was fixed by the patch attached 134449 Can you try to rebuild a RHEL4 package with it ? Or should I ? Daniel
Sebastien is testing this now.
QE ack for 4.5.
Created attachment 134556 [details] libxml2-encoding-warning-crasher.patch Updated patch that applies against libxml2-2.6.16-6
The patch doesn't work though: #1 0x00d017eb in xmlResetError__internal_alias (err=0xbfe22d80) at error.c:856 #2 0x00d0199d in __xmlRaiseError (schannel=0, channel=0x80484fc <domxml_error_validate>, data=0xbfe22c00, ctx=0xbfe22c00, nod=0x8512dd8, domain=23, code=534, level=XML_ERR_ERROR, file=0x1000 <Address 0x1000 out of bounds>, line=100, str1=0x8512e18 "INFOBLOCK", str2=0x8512e18 "INFOBLOCK", str3=0x0, int1=0, int2=0, msg=0xdbe9a8 "No declaration for element %s\n") at error.c:528 #3 0x00d2ebe3 in xmlErrValidNode (ctxt=Variable "ctxt" is not available. ) at valid.c:152 #4 0x00d35323 in xmlValidGetElemDecl (ctxt=0x8509074, doc=0x8512988, elem=0x8512dd8, extsubset=0xbfe2025c) at valid.c:5455 #5 0x00d35b75 in xmlValidateOneElement__internal_alias (ctxt=0x8509074, doc=0x8512988, elem=0x8512dd8) at valid.c:5791 #6 0x00dada5a in xmlSAX2EndElementNs__internal_alias (ctx=0x8509008, localname=0x85125d0 "INFOBLOCK", prefix=0x0, URI=0x0) at SAX2.c:2215 #7 0x00d0e632 in xmlParseEndTag2 (ctxt=0x8509008, prefix=0x0, URI=0x449804 "", line=4495364, nsNr=0, tlen=9) at parser.c:7751 #8 0x00d1918c in xmlParseElement__internal_alias (ctxt=0x8509008) at parser.c:8086 #9 0x00d17976 in xmlParseContent__internal_alias (ctxt=0x8509008) at parser.c:7905 #10 0x00d1912f in xmlParseElement__internal_alias (ctxt=0x8509008) at parser.c:8065 #11 0x00d19887 in xmlParseDocument__internal_alias (ctxt=0x8509008) at parser.c:8666 #12 0x080485d5 in main (argc=1, argv=0xbfe35704) at test.c:59
Works for me ! Compiling tst.c on a 2.6.16 build (static to make sure it uses the right libs): before applying the patch (gdb) r Starting program: /u/veillard/rpms/BUILD/libxml2-2.6.16/tst Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0xd41000 [Thread debugging using libthread_db enabled] [New Thread -1208100656 (LWP 30686)] output conversion failed due to conv error Bytes: 0xFF 0xFF 0xFF 0xFF Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208100656 (LWP 30686)] 0x0804b468 in xmlCharEncOutFunc (handler=0x8f1d5f8, out=0x8f1d620, in=0x8f2e680) at encoding.c:2063 2063 in->content[0] = ' '; after applying the patch (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y warning: cannot close "shared object read from target memory": File in wrong format `/u/veillard/rpms/BUILD/libxml2-2.6.16/tst' has changed; re-reading symbols. Starting program: /u/veillard/rpms/BUILD/libxml2-2.6.16/tst Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0xd41000 output conversion failed due to conv error Bytes: 0xFF 0xFF 0xFF 0xFF error: -2 Program exited normally. (gdb) Where is the stack trace from #8 coming from ? Daniel
Looking at it, I don't really see what the patch(es) have to do with the problem. The stack trace in comment #8 is the same one as in the attachment, and has to do with the error handling. I tested this on a RHEL4 with libxml2-2.6.16-6.test (libxml2-2.6.16-6 + patch from comment #7). Here's the interesting bits of the valgrind output: ==21663== Conditional jump or move depends on uninitialised value(s) ==21663== at 0x403C728: __xmlRaiseError (error.c:498) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== by 0x80485D4: main (test.c:57) ==21663== ==21663== Use of uninitialised value of size 4 ==21663== at 0x403C72F: __xmlRaiseError (error.c:498) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== by 0x80485D4: main (test.c:57) ==21663== ==21663== Conditional jump or move depends on uninitialised value(s) ==21663== at 0x403C747: __xmlRaiseError (error.c:502) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== by 0x80485D4: main (test.c:57) ==21663== ==21663== Use of uninitialised value of size 4 ==21663== at 0x403C74E: __xmlRaiseError (error.c:503) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== by 0x80485D4: main (test.c:57) ==21663== ==21663== Use of uninitialised value of size 4 ==21663== at 0x403C751: __xmlRaiseError (error.c:504) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== by 0x80485D4: main (test.c:57) ==21663== ==21663== Invalid free() / delete / delete[] ==21663== at 0x4004EFA: free (vg_replace_malloc.c:235) ==21663== by 0x403C1B3: xmlResetError (error.c:852) ==21663== by 0x403C365: __xmlRaiseError (error.c:528) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== Address 0x64 is not stack'd, malloc'd or (recently) free'd ==21663== ==21663== Invalid free() / delete / delete[] ==21663== at 0x4004EFA: free (vg_replace_malloc.c:235) ==21663== by 0x403C1C5: xmlResetError (error.c:854) ==21663== by 0x403C365: __xmlRaiseError (error.c:528) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== Address 0x8048034 is not stack'd, malloc'd or (recently) free'd ==21663== ==21663== Invalid free() / delete / delete[] ==21663== at 0x4004EFA: free (vg_replace_malloc.c:235) ==21663== by 0x403C1D7: xmlResetError (error.c:856) ==21663== by 0x403C365: __xmlRaiseError (error.c:528) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== Address 0x20 is not stack'd, malloc'd or (recently) free'd ==21663== ==21663== Invalid free() / delete / delete[] ==21663== at 0x4004EFA: free (vg_replace_malloc.c:235) ==21663== by 0x403C1E9: xmlResetError (error.c:858) ==21663== by 0x403C365: __xmlRaiseError (error.c:528) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== Address 0x5 is not stack'd, malloc'd or (recently) free'd ==21663== ==21663== Invalid free() / delete / delete[] ==21663== at 0x4004EFA: free (vg_replace_malloc.c:235) ==21663== by 0x403C1FB: xmlResetError (error.c:860) ==21663== by 0x403C365: __xmlRaiseError (error.c:528) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== Address 0x7 is not stack'd, malloc'd or (recently) free'd ==21663== ==21663== Invalid read of size 1 ==21663== at 0x40A350B: xmlStrdup (xmlstring.c:70) ==21663== by 0x403C392: __xmlRaiseError (error.c:534) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== by 0x80485D4: main (test.c:57) ==21663== Address 0x1000 is not stack'd, malloc'd or (recently) free'd ==21663== ==21663== Process terminating with default action of signal 11 (SIGSEGV) ==21663== Access not within mapped region at address 0x1000 ==21663== at 0x40A350B: xmlStrdup (xmlstring.c:70) ==21663== by 0x403C392: __xmlRaiseError (error.c:534) ==21663== by 0x40673D4: ??? (valid.c:152) ==21663== by 0x406D666: ??? (valid.c:5455) ==21663== by 0x406DEAE: xmlValidateOneElement (valid.c:5791) ==21663== by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215) ==21663== by 0x4048912: ??? (parser.c:7751) ==21663== by 0x405305F: xmlParseElement (parser.c:8086) ==21663== by 0x40518EA: xmlParseContent (parser.c:7905) ==21663== by 0x4053005: xmlParseElement (parser.c:8065) ==21663== by 0x4053715: xmlParseDocument (parser.c:8666) ==21663== by 0x80485D4: main (test.c:57)
Created attachment 134638 [details] the real fix for this problem
The bug was still in upstream, I can certify the php wrapper was not tested for DTD validation in the last year or so, bad code, but libxml2 is at fault too, more complex than it should :-\ test works for me on 32 and 64 bits boxes, RHEL4 libxml2-2.6.16-6 and for upstream, also tested on valgrind with the test program but not with php itself. Daniel
Patch fixes the problem, thanks.
The component of this request is planned to be updated in Red Hat enterprise Linux 4.5. This enhancement request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
452596 build (dist-4E-qu-candidate, RHEL-4:libxml2-2_6_16-8) A version with the fix has been built in dist-4E-qu-candidate, Daniel
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0195.html
Hi, This issue is fixed so I close this IT. Thanks, Sebastien. Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'RHEL 4.5' This event sent from IssueTracker by saime issue 100135