Bug 804056 - xmllint --xpath crashes on empty results (null pointer dereference in doXPathDump)
xmllint --xpath crashes on empty results (null pointer dereference in doXPath...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: libxml2 (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
abrt_hash:06910dfc94710a76ec1f25e399b...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-16 08:37 EDT by fred
Modified: 2013-08-01 14:11 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 14:11:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (84.54 KB, text/plain)
2012-03-16 08:37 EDT, fred
no flags Details
File: smolt_data (4.61 KB, text/plain)
2012-03-16 08:37 EDT, fred
no flags Details

  None (edit)
Description fred 2012-03-16 08:37:28 EDT
libreport version: 2.0.8
abrt_version:   2.0.7
backtrace_rating: 4
cmdline:        xmllint --xpath /urlset/url/loc/text() plopi
comment:        using --xpath expr on a standard file
crash_function: doXPathDump
executable:     /usr/bin/xmllint
kernel:         3.2.9-2.fc16.x86_64
pid:            16126
pwd:            /home/fred
reason:         Process /usr/bin/xmllint was killed by signal 11 (SIGSEGV)
time:           ven. 16 mars 2012 12:25:53 CET
uid:            1000
username:       fred

backtrace:      Text file, 86567 bytes
smolt_data:     Text file, 4721 bytes

dso_list:
:/lib64/libdl-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213
:/lib64/libm-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213
:/lib64/libc-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213
:/usr/bin/xmllint libxml2-2.7.8-6.fc16.x86_64 (Fedora Project) 1320287304
:/usr/bin/xmllint libxml2-2.7.8-6.fc16.i686 (Fedora Project) 1322240996
:/usr/lib64/libxml2.so.2.7.8 libxml2-2.7.8-6.fc16.x86_64 (Fedora Project) 1320287304
:/lib64/libz.so.1.2.5 zlib-1.2.5-6.fc16.x86_64 (Fedora Project) 1327309240
:/lib64/ld-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213

environ:
:LANG=fr_FR.utf8
:DISPLAY=:0
:SHLVL=1
:LOGNAME=fred
:XDG_VTNR=1
:GNOME_KEYRING_PID=1371
:IMSETTINGS_MODULE=none
:XAUTHORITY=/var/run/gdm/auth-for-fred-wBErej/database
:PWD=/home/fred
:IMSETTINGS_INTEGRATE_DESKTOP=yes
:XDG_SESSION_ID=2
:DESKTOP_SESSION=gnome
:GDMSESSION=gnome
:GNOME_KEYRING_CONTROL=/tmp/keyring-FKnCX5
:USERNAME=fred
:WINDOWPATH=1
:LC_NUMERIC=fr_FR.utf8
:LC_MEASUREMENT=fr_FR.utf8
:GNOME_DESKTOP_SESSION_ID=this-is-deprecated
:LC_MONETARY=fr_FR.utf8
:DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-2KVaEs12rf,guid=c07342e0bef99e141affc0cb00000023
:'LESSOPEN=||/usr/bin/lesspipe.sh %s'
:HISTCONTROL=ignoredups
:MAIL=/var/spool/mail/fred
:_=/usr/bin/xmllint
:'GJS_DEBUG_TOPICS=JS ERROR;JS LOG'
:COLORTERM=gnome-terminal
:XDG_SESSION_COOKIE=a7abb38d09e3d8a83ae27fac00000009-1331888706.911433-1522517222
:GDM_LANG=fr_FR.utf8
:OLDPWD=/home/fred/ga-multitouch/tagCheckerGA
:HOSTNAME=boulet
:SHELL=/bin/zsh
:LC_TIME=fr_FR.utf8
:TERM=xterm
:QT_IM_MODULE=xim
:HISTSIZE=10000
:SSH_AUTH_SOCK=/tmp/keyring-FKnCX5/ssh
:PATH=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch/bin:/home/fred/.rvm/gems/ruby-1.9.2-p0@global/bin:/home/fred/.rvm/rubies/ruby-1.9.2-p0/bin:/home/fred/.rvm/bin:/home/fred/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/home/fred/go/go/bin:/home/fred/.rvm/bin
:WINDOWID=20971525
:GJS_DEBUG_OUTPUT=stderr
:HOME=/home/fred
:XDG_SEAT=seat0
:XMODIFIERS=@im=none
:XDG_RUNTIME_DIR=/run/user/fred
:SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1376,unix/unix:/tmp/.ICE-unix/1376
:GPG_AGENT_INFO=/tmp/keyring-FKnCX5/gpg:0:1
:USER=fred
:AUTOJUMP_DATA_DIR=/home/fred/.local/share/autojump
:LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:*.pdf=00;33:*.ps=00;33:*.ps.gz=00;33:*.txt=00;33:*.patch=00;33:*.diff=00;33:*.log=00;33:*.tex=00;33:*.xls=00;33:*.xlsx=00;33:*.ppt=00;33:*.pptx=00;33:*.rtf=00;33:*.doc=00;33:*.docx=00;33:*.odt=00;33:*.ods=00;33:*.odp=00;33:*.xml=00;33:*.epub=00;33:*.abw=00;33:*.html=00;33:*.wpd=00;33:
:ZSH=/home/fred/.oh-my-zsh
:ZSH_THEME=wedisagree
:GREP_OPTIONS=--color=auto
:GREP_COLOR=1;32
:PAGER=less
:LC_CTYPE=fr_FR.utf8
:LSCOLORS=Gxfxcxdxbxegedabagacad
:JAVA_HOME=/usr/lib/jvm/java
:GOROOT=/home/fred/go/go
:GOBIN=/home/fred/go/go/bin
:GOOS=linux
:GOARCH=amd64
:RVMPATH=/home/fred/.rvm/bin
:EDITOR=vim
:rvm_path=/home/fred/.rvm
:rvm_selfcontained=1
:rvm_version=1.0.19
:RUBY_VERSION=ruby-1.9.2-p0
:GEM_HOME=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch
:GEM_PATH=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch:/home/fred/.rvm/gems/ruby-1.9.2-p0@global
:BUNDLE_PATH=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch
:MY_RUBY_HOME=/home/fred/.rvm/rubies/ruby-1.9.2-p0
:IRBRC=/home/fred/.rvm/rubies/ruby-1.9.2-p0/.irbrc
:rvm_ruby_string=ruby-1.9.2-p0
:rvm_gemset_name=ga-multitouch

event_log:
:2012-03-16-12:26:23> Interrogation des paramètres de serveur
:2012-03-16-12:26:23  Préparation de l'archive à envoyer
:2012-03-16-12:26:24  Envoi de 202024 octets
:2012-03-16-12:26:25  Transfert réussi
:2012-03-16-12:26:26  Le travail de retrace a commencé
:2012-03-16-12:26:39  Analyzing crash data
:2012-03-16-12:26:49  Initializing virtual root
:2012-03-16-12:27:00  Initializing virtual root
:2012-03-16-12:27:11  Initializing virtual root
:2012-03-16-12:27:22  Initializing virtual root
:2012-03-16-12:27:33  Initializing virtual root
:2012-03-16-12:27:43  Initializing virtual root
:2012-03-16-12:27:54  Generating backtrace
:2012-03-16-12:28:05  Retrace job finished successfully
:2012-03-16-13:37:12> Smolt profile successfully saved

maps:
:00400000-0040e000 r-xp 00000000 08:05 170782                             /usr/bin/xmllint
:0060d000-0060f000 rw-p 0000d000 08:05 170782                             /usr/bin/xmllint
:0060f000-0061b000 rw-p 00000000 00:00 0 
:0080e000-0080f000 rw-p 0000e000 08:05 170782                             /usr/bin/xmllint
:00b7c000-00def000 rw-p 00000000 00:00 0                                  [heap]
:323aa00000-323aa22000 r-xp 00000000 08:05 154094                         /lib64/ld-2.14.90.so
:323ac21000-323ac22000 r--p 00021000 08:05 154094                         /lib64/ld-2.14.90.so
:323ac22000-323ac23000 rw-p 00022000 08:05 154094                         /lib64/ld-2.14.90.so
:323ac23000-323ac24000 rw-p 00000000 00:00 0 
:323ae00000-323afad000 r-xp 00000000 08:05 159104                         /lib64/libc-2.14.90.so
:323afad000-323b1ad000 ---p 001ad000 08:05 159104                         /lib64/libc-2.14.90.so
:323b1ad000-323b1b1000 r--p 001ad000 08:05 159104                         /lib64/libc-2.14.90.so
:323b1b1000-323b1b3000 rw-p 001b1000 08:05 159104                         /lib64/libc-2.14.90.so
:323b1b3000-323b1b8000 rw-p 00000000 00:00 0 
:323b600000-323b602000 r-xp 00000000 08:05 170912                         /lib64/libdl-2.14.90.so
:323b602000-323b802000 ---p 00002000 08:05 170912                         /lib64/libdl-2.14.90.so
:323b802000-323b803000 r--p 00002000 08:05 170912                         /lib64/libdl-2.14.90.so
:323b803000-323b804000 rw-p 00003000 08:05 170912                         /lib64/libdl-2.14.90.so
:323be00000-323be17000 r-xp 00000000 08:05 170908                         /lib64/libz.so.1.2.5
:323be17000-323c016000 ---p 00017000 08:05 170908                         /lib64/libz.so.1.2.5
:323c016000-323c017000 rw-p 00016000 08:05 170908                         /lib64/libz.so.1.2.5
:323c200000-323c283000 r-xp 00000000 08:05 159120                         /lib64/libm-2.14.90.so
:323c283000-323c482000 ---p 00083000 08:05 159120                         /lib64/libm-2.14.90.so
:323c482000-323c483000 r--p 00082000 08:05 159120                         /lib64/libm-2.14.90.so
:323c483000-323c484000 rw-p 00083000 08:05 159120                         /lib64/libm-2.14.90.so
:323fa00000-323fb50000 r-xp 00000000 08:05 170943                         /usr/lib64/libxml2.so.2.7.8
:323fb50000-323fd50000 ---p 00150000 08:05 170943                         /usr/lib64/libxml2.so.2.7.8
:323fd50000-323fd59000 rw-p 00150000 08:05 170943                         /usr/lib64/libxml2.so.2.7.8
:323fd59000-323fd5b000 rw-p 00000000 00:00 0 
:7fc077574000-7fc077579000 rw-p 00000000 00:00 0 
:7fc077597000-7fc077598000 rw-p 00000000 00:00 0 
:7fff88ed1000-7fff88ef2000 rw-p 00000000 00:00 0                          [stack]
:7fff88fff000-7fff89000000 r-xp 00000000 00:00 0                          [vdso]
:ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

var_log_messages:
:Mar 16 12:25:53 boulet kernel: [ 8460.068561] xmllint[16126]: segfault at 0 ip 0000000000408fd9 sp 00007fff88eee190 error 4 in xmllint[400000+e000]
:Mar 16 12:25:53 boulet abrt[16127]: Saved core dump of pid 16126 (/usr/bin/xmllint) to /var/spool/abrt/ccpp-2012-03-16-12:25:53-16126 (2899968 bytes)
Comment 1 fred 2012-03-16 08:37:33 EDT
Created attachment 570594 [details]
File: backtrace
Comment 2 fred 2012-03-16 08:37:35 EDT
Created attachment 570595 [details]
File: smolt_data
Comment 3 Fedora End Of Life 2013-01-16 15:39:41 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Patrice FERLET 2013-02-06 04:16:37 EST
Fedora 17, same error on a sitemaps.xml to process... should I recreate a bugreport ?
Comment 5 Jan Pokorný 2013-02-22 12:32:44 EST
Just hit the same, IMHO fixed by:

> commit bdc64d6d5f5f30982279af23cfa2d3ab08ba34c4
> Author: Daniel Veillard <veillard@redhat.com>
> Date:   Tue Mar 27 14:41:37 2012 +0800
> 
>     Fix a crash with xmllint --path on empty results
>     
>     If the returned node set is empty, it is possible for the nodetab
>     to be null

Unfortunately not in F17 (yet?).
Comment 6 Fedora End Of Life 2013-02-26 10:06:08 EST
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 7 Jan Pokorný 2013-02-26 10:18:28 EST
As per [comment 4] and [comment 5] reopening in F17 context.
Comment 8 Jan Pokorný 2013-02-26 10:21:35 EST
$ rpm -qf $(which xmllint)
libxml2-2.7.8-9.fc17.x86_64
Comment 9 Jan Pokorný 2013-03-28 18:34:58 EDT
Fixed summary as --xpath is the triggering parameter, not --path.

$ echo "<oops/>" | xmllint --xpath "//*[nothing]/*" -
> Segmentation fault (core dumped)


In detail:

$ echo -e "define hook-stop\nbt full\nend\nrun\n<oops/>" \
  | gdb -args xmllint --xpath "//*[nothing]/*" - \
  | sed '/(gdb)/bcont;d;:cont;n;bcont'
> (gdb) >>(gdb) Starting program: /usr/bin/xmllint --xpath //\*\[nothing\]/\* -
> 
> Program received signal SIGSEGV, Segmentation fault.
> #0  0x0000000000408121 in doXPathDump (cur=0x81d250) at xmllint.c:2075
>         i = <optimized out>
>         node = <optimized out>
>         ctxt = <optimized out>
> #1  doXPathQuery (query=<optimized out>, doc=0x81d8b0) at xmllint.c:2149
>         ctxt = 0x81d680
>         res = 0x81d250
> #2  parseAndPrintFile (filename=filename@entry=0x7fffffffe3df "-",
>                        rectxt=rectxt@entry=0x0) at xmllint.c:2424
>         doc = 0x81d8b0
>         tmp = <optimized out>
> #3  0x0000000000406912 in main (argc=4, argv=0x7fffffffe098) at xmllint.c:3710
>         i = <optimized out>
>         acount = <optimized out>
>         files = <optimized out>
>         version = <optimized out>
>         indent = <optimized out>
> 0x0000000000408121 in doXPathDump (cur=0x81d250) at xmllint.c:2075
> 2075	            if (cur->nodesetval->nodeNr <= 0) {
> (gdb) quit
> A debugging session is active.
> 
> 	Inferior 1 [process 21610] will be killed.
> 
> Quit anyway? (y or n) [answered Y; input not from terminal]

$ echo -e 'define hook-stop\np cur->nodesetval\nbt full\nend\nrun\n<oops/>' \
  | gdb -args xmllint --xpath "//*[nothing]/*" - \
  | sed '/(gdb)/bcont;d;:cont;n;bcont'
> (gdb) >>>(gdb) Starting program: /usr/bin/xmllint --xpath //\*\[nothing\]/\* -
> 
> Program received signal SIGSEGV, Segmentation fault.
> $1 = (xmlNodeSetPtr) 0x0
> #0  0x0000000000408121 in doXPathDump (cur=0x81d2b0) at xmllint.c:2075
>         i = <optimized out>
>         node = <optimized out>
>         ctxt = <optimized out>
> #1  doXPathQuery (query=<optimized out>, doc=0x81d8b0) at xmllint.c:2149
>         ctxt = 0x81d680
>         res = 0x81d2b0
> #2  parseAndPrintFile (filename=filename@entry=0x7fffffffe3df "-",
                         rectxt=rectxt@entry=0x0) at xmllint.c:2424
>         doc = 0x81d8b0
>         tmp = <optimized out>
> #3  0x0000000000406912 in main (argc=4, argv=0x7fffffffe098) at xmllint.c:3710
>         i = <optimized out>
>         acount = <optimized out>
>         files = <optimized out>
>         version = <optimized out>
>         indent = <optimized out>
> 0x0000000000408121 in doXPathDump (cur=0x81d2b0) at xmllint.c:2075
> 2075	            if (cur->nodesetval->nodeNr <= 0) {
> (gdb) quit
> A debugging session is active.
> 
> 	Inferior 1 [process 22291] will be killed.
> 
> Quit anyway? (y or n) [answered Y; input not from terminal]


I can confirm this is fixed in F18 (libxml2-2.9.0-3.fc18), though.
Comment 10 Fedora End Of Life 2013-07-04 02:36:11 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 11 Fedora End Of Life 2013-08-01 14:11:46 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.