| Subject: | NULL ptr seg fault |
| Date: | Mon, 14 May 2007 17:14:30 -0400 |
| To: | bug-XML-LibXML [...] rt.cpan.org |
| From: | Mark Steckel <mjs [...] fix.net> |
Hello,
XML::LibXML fails under certain circumstances due to a NULL ptr dereference.
The function just below from dom.c can seg fault if the parameter ns is NULL.
domAddNsDef(xmlNodePtr tree, xmlNsPtr ns)
{
xmlNsPtr i = tree->nsDef;
while(i != NULL && i != ns)
i = i->next;
if( i == NULL )
{
ns->next = tree->nsDef; /* Fails if ns is NULL */
tree->nsDef = ns;
}
}
This error seems to occur because the return value from a libxml2
function is not checked for failure before being passed to
domAddNsDef(). Specifically, the function dom.c:_domReconcileNsAttr()
calls xmlCopyNamespace() which returns NULL if an error occurs. This
error occurs with libxml2-2.6.27 and libxml2-2.6.28.
I created the following work-around.
diff -r -w -c XML-LibXML-1.63/dom.c XML-LibXML-1.63-new/dom.c
*** XML-LibXML-1.63/dom.c 2007-02-26 08:24:12.000000000 -0500
--- XML-LibXML-1.63-new/dom.c 2007-05-14 14:03:34.000000000 -0400
***************
*** 114,119 ****
--- 114,120 ----
{
/* Replace/Add the namespace declaration on the element */
attr->ns = xmlCopyNamespace(attr->ns);
+ if (attr->ns != NULL)
domAddNsDef(tree, attr->ns);
}
}
It probably makes more sense to validate the ptr's that are passed to
domAddNsDef() but I am uncertain what action should be taken if
either ptr is NULL.
Additional info follows.
Thanks
Mark
------------
CentOS 4.4
[root@dizzy perl]# uname -a
Linux dizzy.abcxyz.com 2.6.9-42.EL #1 Sat Aug 12 09:17:58 CDT 2006
i686 i686 i386 GNU/Linux
root@dizzy perl]# perl -V
Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
Platform:
osname=linux, osvers=2.6.9-42.el, archname=i686-linux-thread-multi
uname='linux dizzy.huffingtonpost.com 2.6.9-42.el #1 sat aug 12
09:17:58 cdt 2006 i686 i686 i386 gnulinux '
config_args=''
hint=recommended, useposix=true, d_sigaction=define
usethreads=define use5005threads=undef useithreads=define
usemultiplicity=define
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=undef use64bitall=undef uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE
-DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe
-Wdeclaration-after-statement -I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O2',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS
-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include'
ccversion='', gccversion='3.4.6 20060404 (Red Hat 3.4.6-3)',
gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long', ivsize=4, nvtype='double', nvsize=8,
Off_t='off_t', lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='gcc', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib
libs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
libc=/lib/libc-2.3.4.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.3.4'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'
Characteristics of this binary (from libperl):
Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT
PERL_MALLOC_WRAP THREADS_HAVE_PIDS USE_ITHREADS
USE_LARGE_FILES USE_PERLIO USE_REENTRANT_API
Built under linux
Compiled at Jan 30 2007 16:49:58
@INC:
/usr/local/lib/perl5/5.8.8/i686-linux-thread-multi
/usr/local/lib/perl5/5.8.8
/usr/local/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi
/usr/local/lib/perl5/site_perl/5.8.8
/usr/local/lib/perl5/site_perl
.