Bug 203125 - PHP crashes when validating with errors
PHP crashes when validating with errors
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: libxml2 (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Veillard
:
Depends On:
Blocks: 461607
  Show dependency treegraph
 
Reported: 2006-08-18 10:57 EDT by Bastien Nocera
Modified: 2008-09-09 08:52 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2007-0195
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 18:46:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test.c (2.96 KB, text/x-csrc)
2006-08-18 10:57 EDT, Bastien Nocera
no flags Details
patch to avoid modifying an immutable buffer on iconv errors (566 bytes, patch)
2006-08-18 11:13 EDT, Daniel Veillard
no flags Details | Diff
libxml2-encoding-warning-crasher.patch (406 bytes, patch)
2006-08-21 08:13 EDT, Bastien Nocera
no flags Details | Diff
the real fix for this problem (2.03 KB, patch)
2006-08-22 10:28 EDT, Daniel Veillard
no flags Details | Diff

  None (edit)
Description Bastien Nocera 2006-08-18 10:57:10 EDT
php-4.3.9-3.15
libxml2-2.6.16-6

This was the original test case. 3 files:
test.php:
<?
       $dom = domxml_open_file("test.xml", DOMXML_LOAD_VALIDATING);
       var_dump($err);
?>

test.xml:
<?xml version="1.0"?>
<!DOCTYPE DAUGHTERPAGE SYSTEM 'syntax.dtd'>
<DAUGHTERPAGE version="2">
<INFOBLOCK>
</INFOBLOCK>
</DAUGHTERPAGE>

syntax.dtd:
<!ELEMENT DAUGHTERPAGE  (INFOBLOCK? )>
<!ATTLIST DAUGHTERPAGE  version CDATA  #IMPLIED >

Running "php test.php" will result in a segfault. I reproduced the issue
mimicking php's php_domxml plugin in a C testcase (attached below, along with
the produced backtrace)

The problem doesn't exist with a current libxml2 from upstream.
Comment 1 Bastien Nocera 2006-08-18 10:57:11 EDT
Created attachment 134446 [details]
test.c
Comment 2 Daniel Veillard 2006-08-18 11:11:37 EDT
Okay, I can reproduce this on RHEL4, I will try to come with a patch shortly,

Daniel
Comment 3 Daniel Veillard 2006-08-18 11:13:35 EDT
Created attachment 134449 [details]
patch to avoid modifying an immutable buffer on iconv errors
Comment 4 Daniel Veillard 2006-08-18 11:15:32 EDT
I think the customer is hitting
  http://bugzilla.gnome.org/show_bug.cgi?id=340398
which was fixed by the patch attached 134449

Can you try to rebuild a RHEL4 package with it ? Or should I ?

Daniel
Comment 5 Bastien Nocera 2006-08-18 11:28:31 EDT
Sebastien is testing this now.
Comment 6 Jay Turner 2006-08-20 21:44:03 EDT
QE ack for 4.5.
Comment 7 Bastien Nocera 2006-08-21 08:13:18 EDT
Created attachment 134556 [details]
libxml2-encoding-warning-crasher.patch

Updated patch that applies against libxml2-2.6.16-6
Comment 8 Bastien Nocera 2006-08-21 08:14:46 EDT
The patch doesn't work though:
#1  0x00d017eb in xmlResetError__internal_alias (err=0xbfe22d80) at error.c:856
#2  0x00d0199d in __xmlRaiseError (schannel=0,
    channel=0x80484fc <domxml_error_validate>, data=0xbfe22c00,
    ctx=0xbfe22c00, nod=0x8512dd8, domain=23, code=534, level=XML_ERR_ERROR,
    file=0x1000 <Address 0x1000 out of bounds>, line=100,
    str1=0x8512e18 "INFOBLOCK", str2=0x8512e18 "INFOBLOCK", str3=0x0, int1=0,
    int2=0, msg=0xdbe9a8 "No declaration for element %s\n") at error.c:528
#3  0x00d2ebe3 in xmlErrValidNode (ctxt=Variable "ctxt" is not available.
) at valid.c:152
#4  0x00d35323 in xmlValidGetElemDecl (ctxt=0x8509074, doc=0x8512988,
    elem=0x8512dd8, extsubset=0xbfe2025c) at valid.c:5455
#5  0x00d35b75 in xmlValidateOneElement__internal_alias (ctxt=0x8509074,
    doc=0x8512988, elem=0x8512dd8) at valid.c:5791
#6  0x00dada5a in xmlSAX2EndElementNs__internal_alias (ctx=0x8509008,
    localname=0x85125d0 "INFOBLOCK", prefix=0x0, URI=0x0) at SAX2.c:2215
#7  0x00d0e632 in xmlParseEndTag2 (ctxt=0x8509008, prefix=0x0,
    URI=0x449804 "", line=4495364, nsNr=0, tlen=9) at parser.c:7751
#8  0x00d1918c in xmlParseElement__internal_alias (ctxt=0x8509008)
    at parser.c:8086
#9  0x00d17976 in xmlParseContent__internal_alias (ctxt=0x8509008)
    at parser.c:7905
#10 0x00d1912f in xmlParseElement__internal_alias (ctxt=0x8509008)
    at parser.c:8065
#11 0x00d19887 in xmlParseDocument__internal_alias (ctxt=0x8509008)
    at parser.c:8666
#12 0x080485d5 in main (argc=1, argv=0xbfe35704) at test.c:59
Comment 9 Daniel Veillard 2006-08-21 09:01:59 EDT
Works for me ! Compiling tst.c on a 2.6.16 build (static to make sure it uses 
the right libs):

  before applying the patch

(gdb) r
Starting program: /u/veillard/rpms/BUILD/libxml2-2.6.16/tst
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xd41000
[Thread debugging using libthread_db enabled]
[New Thread -1208100656 (LWP 30686)]
output conversion failed due to conv error
Bytes: 0xFF 0xFF 0xFF 0xFF

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208100656 (LWP 30686)]
0x0804b468 in xmlCharEncOutFunc (handler=0x8f1d5f8, out=0x8f1d620,
    in=0x8f2e680) at encoding.c:2063
2063                    in->content[0] = ' ';

 after applying the patch

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target memory": File in wrong format
`/u/veillard/rpms/BUILD/libxml2-2.6.16/tst' has changed; re-reading symbols.

Starting program: /u/veillard/rpms/BUILD/libxml2-2.6.16/tst
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xd41000
output conversion failed due to conv error
Bytes: 0xFF 0xFF 0xFF 0xFF
error: -2

Program exited normally.
(gdb)

   Where is the stack trace from #8 coming from ?

Daniel
Comment 10 Bastien Nocera 2006-08-21 10:45:36 EDT
Looking at it, I don't really see what the patch(es) have to do with the problem.
The stack trace in comment #8 is the same one as in the attachment, and has to
do with the error handling.

I tested this on a RHEL4 with libxml2-2.6.16-6.test (libxml2-2.6.16-6 + patch
from comment #7).

Here's the interesting bits of the valgrind output:
==21663== Conditional jump or move depends on uninitialised value(s)
==21663==    at 0x403C728: __xmlRaiseError (error.c:498)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Use of uninitialised value of size 4
==21663==    at 0x403C72F: __xmlRaiseError (error.c:498)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Conditional jump or move depends on uninitialised value(s)
==21663==    at 0x403C747: __xmlRaiseError (error.c:502)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Use of uninitialised value of size 4
==21663==    at 0x403C74E: __xmlRaiseError (error.c:503)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Use of uninitialised value of size 4
==21663==    at 0x403C751: __xmlRaiseError (error.c:504)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1B3: xmlResetError (error.c:852)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x64 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1C5: xmlResetError (error.c:854)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x8048034 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1D7: xmlResetError (error.c:856)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1E9: xmlResetError (error.c:858)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x5 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid free() / delete / delete[]
==21663==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==21663==    by 0x403C1FB: xmlResetError (error.c:860)
==21663==    by 0x403C365: __xmlRaiseError (error.c:528)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==  Address 0x7 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Invalid read of size 1
==21663==    at 0x40A350B: xmlStrdup (xmlstring.c:70)
==21663==    by 0x403C392: __xmlRaiseError (error.c:534)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
==21663==  Address 0x1000 is not stack'd, malloc'd or (recently) free'd
==21663==
==21663== Process terminating with default action of signal 11 (SIGSEGV)
==21663==  Access not within mapped region at address 0x1000
==21663==    at 0x40A350B: xmlStrdup (xmlstring.c:70)
==21663==    by 0x403C392: __xmlRaiseError (error.c:534)
==21663==    by 0x40673D4: ??? (valid.c:152)
==21663==    by 0x406D666: ??? (valid.c:5455)
==21663==    by 0x406DEAE: xmlValidateOneElement (valid.c:5791)
==21663==    by 0x40E0C24: xmlSAX2EndElementNs (SAX2.c:2215)
==21663==    by 0x4048912: ??? (parser.c:7751)
==21663==    by 0x405305F: xmlParseElement (parser.c:8086)
==21663==    by 0x40518EA: xmlParseContent (parser.c:7905)
==21663==    by 0x4053005: xmlParseElement (parser.c:8065)
==21663==    by 0x4053715: xmlParseDocument (parser.c:8666)
==21663==    by 0x80485D4: main (test.c:57)
Comment 11 Daniel Veillard 2006-08-22 10:28:48 EDT
Created attachment 134638 [details]
the real fix for this problem
Comment 12 Daniel Veillard 2006-08-22 10:32:04 EDT
The bug was still in upstream, I can certify the php wrapper was not
tested for DTD validation in the last year or so, bad code, but libxml2
is at fault too, more complex than it should :-\

test works for me on 32 and 64 bits boxes, RHEL4 libxml2-2.6.16-6 and
for upstream, also tested on valgrind with the test program but not with
php itself.

Daniel
Comment 14 Bastien Nocera 2006-08-23 06:50:22 EDT
Patch fixes the problem, thanks.
Comment 15 Daniel Riek 2006-08-29 10:31:17 EDT
The component of this request is planned to be updated in Red Hat enterprise
Linux 4.5.

This enhancement request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux maintenance release.

Product Management has requested further review of this request by Red Hat
Engineering, for potential inclusion in a Red Hat Enterprise Linux Update
release for currently deployed products.

This request is not yet committed for inclusion in an Update release. 
Comment 16 Daniel Veillard 2006-12-12 06:08:42 EST
452596 build (dist-4E-qu-candidate, RHEL-4:libxml2-2_6_16-8)

A version with the fix has been built in dist-4E-qu-candidate,

Daniel
Comment 20 Red Hat Bugzilla 2007-05-01 18:46:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0195.html
Comment 21 Issue Tracker 2007-07-03 10:16:40 EDT
Hi,

This issue is fixed so I close this IT.

Thanks,

Sebastien.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 4.5'

This event sent from IssueTracker by saime 
 issue 100135

Note You need to log in before you can comment on or make changes to this bug.