804056 – xmllint --xpath crashes on empty results (null pointer dereference in doXPathDump)

Bug 804056 - xmllint --xpath crashes on empty results (null pointer dereference in doXPathDump)

Summary: xmllint --xpath crashes on empty results (null pointer dereference in doXPath...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libxml2
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Veillard
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:06910dfc94710a76ec1f25e399b...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-16 12:37 UTC by fred
Modified:	2013-08-01 18:11 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-01 18:11:40 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (84.54 KB, text/plain) 2012-03-16 12:37 UTC, fred	no flags	Details
File: smolt_data (4.61 KB, text/plain) 2012-03-16 12:37 UTC, fred	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description fred 2012-03-16 12:37:28 UTC

libreport version: 2.0.8
abrt_version:   2.0.7
backtrace_rating: 4
cmdline:        xmllint --xpath /urlset/url/loc/text() plopi
comment:        using --xpath expr on a standard file
crash_function: doXPathDump
executable:     /usr/bin/xmllint
kernel:         3.2.9-2.fc16.x86_64
pid:            16126
pwd:            /home/fred
reason:         Process /usr/bin/xmllint was killed by signal 11 (SIGSEGV)
time:           ven. 16 mars 2012 12:25:53 CET
uid:            1000
username:       fred

backtrace:      Text file, 86567 bytes
smolt_data:     Text file, 4721 bytes

dso_list:
:/lib64/libdl-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213
:/lib64/libm-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213
:/lib64/libc-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213
:/usr/bin/xmllint libxml2-2.7.8-6.fc16.x86_64 (Fedora Project) 1320287304
:/usr/bin/xmllint libxml2-2.7.8-6.fc16.i686 (Fedora Project) 1322240996
:/usr/lib64/libxml2.so.2.7.8 libxml2-2.7.8-6.fc16.x86_64 (Fedora Project) 1320287304
:/lib64/libz.so.1.2.5 zlib-1.2.5-6.fc16.x86_64 (Fedora Project) 1327309240
:/lib64/ld-2.14.90.so glibc-2.14.90-24.fc16.6.x86_64 (Fedora Project) 1330335213

environ:
:LANG=fr_FR.utf8
:DISPLAY=:0
:SHLVL=1
:LOGNAME=fred
:XDG_VTNR=1
:GNOME_KEYRING_PID=1371
:IMSETTINGS_MODULE=none
:XAUTHORITY=/var/run/gdm/auth-for-fred-wBErej/database
:PWD=/home/fred
:IMSETTINGS_INTEGRATE_DESKTOP=yes
:XDG_SESSION_ID=2
:DESKTOP_SESSION=gnome
:GDMSESSION=gnome
:GNOME_KEYRING_CONTROL=/tmp/keyring-FKnCX5
:USERNAME=fred
:WINDOWPATH=1
:LC_NUMERIC=fr_FR.utf8
:LC_MEASUREMENT=fr_FR.utf8
:GNOME_DESKTOP_SESSION_ID=this-is-deprecated
:LC_MONETARY=fr_FR.utf8
:DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-2KVaEs12rf,guid=c07342e0bef99e141affc0cb00000023
:'LESSOPEN=||/usr/bin/lesspipe.sh %s'
:HISTCONTROL=ignoredups
:MAIL=/var/spool/mail/fred
:_=/usr/bin/xmllint
:'GJS_DEBUG_TOPICS=JS ERROR;JS LOG'
:COLORTERM=gnome-terminal
:XDG_SESSION_COOKIE=a7abb38d09e3d8a83ae27fac00000009-1331888706.911433-1522517222
:GDM_LANG=fr_FR.utf8
:OLDPWD=/home/fred/ga-multitouch/tagCheckerGA
:HOSTNAME=boulet
:SHELL=/bin/zsh
:LC_TIME=fr_FR.utf8
:TERM=xterm
:QT_IM_MODULE=xim
:HISTSIZE=10000
:SSH_AUTH_SOCK=/tmp/keyring-FKnCX5/ssh
:PATH=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch/bin:/home/fred/.rvm/gems/ruby-1.9.2-p0@global/bin:/home/fred/.rvm/rubies/ruby-1.9.2-p0/bin:/home/fred/.rvm/bin:/home/fred/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/home/fred/go/go/bin:/home/fred/.rvm/bin
:WINDOWID=20971525
:GJS_DEBUG_OUTPUT=stderr
:HOME=/home/fred
:XDG_SEAT=seat0
:XMODIFIERS=@im=none
:XDG_RUNTIME_DIR=/run/user/fred
:SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1376,unix/unix:/tmp/.ICE-unix/1376
:GPG_AGENT_INFO=/tmp/keyring-FKnCX5/gpg:0:1
:USER=fred
:AUTOJUMP_DATA_DIR=/home/fred/.local/share/autojump
:LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:*.pdf=00;33:*.ps=00;33:*.ps.gz=00;33:*.txt=00;33:*.patch=00;33:*.diff=00;33:*.log=00;33:*.tex=00;33:*.xls=00;33:*.xlsx=00;33:*.ppt=00;33:*.pptx=00;33:*.rtf=00;33:*.doc=00;33:*.docx=00;33:*.odt=00;33:*.ods=00;33:*.odp=00;33:*.xml=00;33:*.epub=00;33:*.abw=00;33:*.html=00;33:*.wpd=00;33:
:ZSH=/home/fred/.oh-my-zsh
:ZSH_THEME=wedisagree
:GREP_OPTIONS=--color=auto
:GREP_COLOR=1;32
:PAGER=less
:LC_CTYPE=fr_FR.utf8
:LSCOLORS=Gxfxcxdxbxegedabagacad
:JAVA_HOME=/usr/lib/jvm/java
:GOROOT=/home/fred/go/go
:GOBIN=/home/fred/go/go/bin
:GOOS=linux
:GOARCH=amd64
:RVMPATH=/home/fred/.rvm/bin
:EDITOR=vim
:rvm_path=/home/fred/.rvm
:rvm_selfcontained=1
:rvm_version=1.0.19
:RUBY_VERSION=ruby-1.9.2-p0
:GEM_HOME=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch
:GEM_PATH=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch:/home/fred/.rvm/gems/ruby-1.9.2-p0@global
:BUNDLE_PATH=/home/fred/.rvm/gems/ruby-1.9.2-p0@ga-multitouch
:MY_RUBY_HOME=/home/fred/.rvm/rubies/ruby-1.9.2-p0
:IRBRC=/home/fred/.rvm/rubies/ruby-1.9.2-p0/.irbrc
:rvm_ruby_string=ruby-1.9.2-p0
:rvm_gemset_name=ga-multitouch

event_log:
:2012-03-16-12:26:23> Interrogation des paramètres de serveur
:2012-03-16-12:26:23  Préparation de l'archive à envoyer
:2012-03-16-12:26:24  Envoi de 202024 octets
:2012-03-16-12:26:25  Transfert réussi
:2012-03-16-12:26:26  Le travail de retrace a commencé
:2012-03-16-12:26:39  Analyzing crash data
:2012-03-16-12:26:49  Initializing virtual root
:2012-03-16-12:27:00  Initializing virtual root
:2012-03-16-12:27:11  Initializing virtual root
:2012-03-16-12:27:22  Initializing virtual root
:2012-03-16-12:27:33  Initializing virtual root
:2012-03-16-12:27:43  Initializing virtual root
:2012-03-16-12:27:54  Generating backtrace
:2012-03-16-12:28:05  Retrace job finished successfully
:2012-03-16-13:37:12> Smolt profile successfully saved

maps:
:00400000-0040e000 r-xp 00000000 08:05 170782                             /usr/bin/xmllint
:0060d000-0060f000 rw-p 0000d000 08:05 170782                             /usr/bin/xmllint
:0060f000-0061b000 rw-p 00000000 00:00 0 
:0080e000-0080f000 rw-p 0000e000 08:05 170782                             /usr/bin/xmllint
:00b7c000-00def000 rw-p 00000000 00:00 0                                  [heap]
:323aa00000-323aa22000 r-xp 00000000 08:05 154094                         /lib64/ld-2.14.90.so
:323ac21000-323ac22000 r--p 00021000 08:05 154094                         /lib64/ld-2.14.90.so
:323ac22000-323ac23000 rw-p 00022000 08:05 154094                         /lib64/ld-2.14.90.so
:323ac23000-323ac24000 rw-p 00000000 00:00 0 
:323ae00000-323afad000 r-xp 00000000 08:05 159104                         /lib64/libc-2.14.90.so
:323afad000-323b1ad000 ---p 001ad000 08:05 159104                         /lib64/libc-2.14.90.so
:323b1ad000-323b1b1000 r--p 001ad000 08:05 159104                         /lib64/libc-2.14.90.so
:323b1b1000-323b1b3000 rw-p 001b1000 08:05 159104                         /lib64/libc-2.14.90.so
:323b1b3000-323b1b8000 rw-p 00000000 00:00 0 
:323b600000-323b602000 r-xp 00000000 08:05 170912                         /lib64/libdl-2.14.90.so
:323b602000-323b802000 ---p 00002000 08:05 170912                         /lib64/libdl-2.14.90.so
:323b802000-323b803000 r--p 00002000 08:05 170912                         /lib64/libdl-2.14.90.so
:323b803000-323b804000 rw-p 00003000 08:05 170912                         /lib64/libdl-2.14.90.so
:323be00000-323be17000 r-xp 00000000 08:05 170908                         /lib64/libz.so.1.2.5
:323be17000-323c016000 ---p 00017000 08:05 170908                         /lib64/libz.so.1.2.5
:323c016000-323c017000 rw-p 00016000 08:05 170908                         /lib64/libz.so.1.2.5
:323c200000-323c283000 r-xp 00000000 08:05 159120                         /lib64/libm-2.14.90.so
:323c283000-323c482000 ---p 00083000 08:05 159120                         /lib64/libm-2.14.90.so
:323c482000-323c483000 r--p 00082000 08:05 159120                         /lib64/libm-2.14.90.so
:323c483000-323c484000 rw-p 00083000 08:05 159120                         /lib64/libm-2.14.90.so
:323fa00000-323fb50000 r-xp 00000000 08:05 170943                         /usr/lib64/libxml2.so.2.7.8
:323fb50000-323fd50000 ---p 00150000 08:05 170943                         /usr/lib64/libxml2.so.2.7.8
:323fd50000-323fd59000 rw-p 00150000 08:05 170943                         /usr/lib64/libxml2.so.2.7.8
:323fd59000-323fd5b000 rw-p 00000000 00:00 0 
:7fc077574000-7fc077579000 rw-p 00000000 00:00 0 
:7fc077597000-7fc077598000 rw-p 00000000 00:00 0 
:7fff88ed1000-7fff88ef2000 rw-p 00000000 00:00 0                          [stack]
:7fff88fff000-7fff89000000 r-xp 00000000 00:00 0                          [vdso]
:ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

var_log_messages:
:Mar 16 12:25:53 boulet kernel: [ 8460.068561] xmllint[16126]: segfault at 0 ip 0000000000408fd9 sp 00007fff88eee190 error 4 in xmllint[400000+e000]
:Mar 16 12:25:53 boulet abrt[16127]: Saved core dump of pid 16126 (/usr/bin/xmllint) to /var/spool/abrt/ccpp-2012-03-16-12:25:53-16126 (2899968 bytes)

Comment 1 fred 2012-03-16 12:37:33 UTC

Created attachment 570594 [details]
File: backtrace

Comment 2 fred 2012-03-16 12:37:35 UTC

Created attachment 570595 [details]
File: smolt_data

Comment 3 Fedora End Of Life 2013-01-16 20:39:41 UTC

This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Patrice FERLET 2013-02-06 09:16:37 UTC

Fedora 17, same error on a sitemaps.xml to process... should I recreate a bugreport ?

Comment 5 Jan Pokorný [poki] 2013-02-22 17:32:44 UTC

Just hit the same, IMHO fixed by:

> commit bdc64d6d5f5f30982279af23cfa2d3ab08ba34c4
> Author: Daniel Veillard <veillard>
> Date:   Tue Mar 27 14:41:37 2012 +0800
> 
>     Fix a crash with xmllint --path on empty results
>     
>     If the returned node set is empty, it is possible for the nodetab
>     to be null

Unfortunately not in F17 (yet?).

Comment 6 Fedora End Of Life 2013-02-26 15:06:08 UTC

Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 7 Jan Pokorný [poki] 2013-02-26 15:18:28 UTC

As per [comment 4] and [comment 5] reopening in F17 context.

Comment 8 Jan Pokorný [poki] 2013-02-26 15:21:35 UTC

$ rpm -qf $(which xmllint)
libxml2-2.7.8-9.fc17.x86_64

Comment 9 Jan Pokorný [poki] 2013-03-28 22:34:58 UTC

Fixed summary as --xpath is the triggering parameter, not --path.

$ echo "<oops/>" | xmllint --xpath "//*[nothing]/*" -
> Segmentation fault (core dumped)


In detail:

$ echo -e "define hook-stop\nbt full\nend\nrun\n<oops/>" \
  | gdb -args xmllint --xpath "//*[nothing]/*" - \
  | sed '/(gdb)/bcont;d;:cont;n;bcont'
> (gdb) >>(gdb) Starting program: /usr/bin/xmllint --xpath //\*\[nothing\]/\* -
> 
> Program received signal SIGSEGV, Segmentation fault.
> #0  0x0000000000408121 in doXPathDump (cur=0x81d250) at xmllint.c:2075
>         i = <optimized out>
>         node = <optimized out>
>         ctxt = <optimized out>
> #1  doXPathQuery (query=<optimized out>, doc=0x81d8b0) at xmllint.c:2149
>         ctxt = 0x81d680
>         res = 0x81d250
> #2  parseAndPrintFile (filename=filename@entry=0x7fffffffe3df "-",
>                        rectxt=rectxt@entry=0x0) at xmllint.c:2424
>         doc = 0x81d8b0
>         tmp = <optimized out>
> #3  0x0000000000406912 in main (argc=4, argv=0x7fffffffe098) at xmllint.c:3710
>         i = <optimized out>
>         acount = <optimized out>
>         files = <optimized out>
>         version = <optimized out>
>         indent = <optimized out>
> 0x0000000000408121 in doXPathDump (cur=0x81d250) at xmllint.c:2075
> 2075	            if (cur->nodesetval->nodeNr <= 0) {
> (gdb) quit
> A debugging session is active.
> 
> 	Inferior 1 [process 21610] will be killed.
> 
> Quit anyway? (y or n) [answered Y; input not from terminal]

$ echo -e 'define hook-stop\np cur->nodesetval\nbt full\nend\nrun\n<oops/>' \
  | gdb -args xmllint --xpath "//*[nothing]/*" - \
  | sed '/(gdb)/bcont;d;:cont;n;bcont'
> (gdb) >>>(gdb) Starting program: /usr/bin/xmllint --xpath //\*\[nothing\]/\* -
> 
> Program received signal SIGSEGV, Segmentation fault.
> $1 = (xmlNodeSetPtr) 0x0
> #0  0x0000000000408121 in doXPathDump (cur=0x81d2b0) at xmllint.c:2075
>         i = <optimized out>
>         node = <optimized out>
>         ctxt = <optimized out>
> #1  doXPathQuery (query=<optimized out>, doc=0x81d8b0) at xmllint.c:2149
>         ctxt = 0x81d680
>         res = 0x81d2b0
> #2  parseAndPrintFile (filename=filename@entry=0x7fffffffe3df "-",
                         rectxt=rectxt@entry=0x0) at xmllint.c:2424
>         doc = 0x81d8b0
>         tmp = <optimized out>
> #3  0x0000000000406912 in main (argc=4, argv=0x7fffffffe098) at xmllint.c:3710
>         i = <optimized out>
>         acount = <optimized out>
>         files = <optimized out>
>         version = <optimized out>
>         indent = <optimized out>
> 0x0000000000408121 in doXPathDump (cur=0x81d2b0) at xmllint.c:2075
> 2075	            if (cur->nodesetval->nodeNr <= 0) {
> (gdb) quit
> A debugging session is active.
> 
> 	Inferior 1 [process 22291] will be killed.
> 
> Quit anyway? (y or n) [answered Y; input not from terminal]


I can confirm this is fixed in F18 (libxml2-2.9.0-3.fc18), though.

Comment 10 Fedora End Of Life 2013-07-04 06:36:11 UTC

This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 11 Fedora End Of Life 2013-08-01 18:11:46 UTC

Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.