segfault in dom_document_parser in recovery mode

Bug #47220	segfault in dom_document_parser in recovery mode
Submitted:	2009-01-26 16:54 UTC	Modified:	2009-01-26 20:04 UTC
From:	felix-php at 7val dot com	Assigned:
Status:	Closed	Package:	DOM XML related
PHP Version:	5.2.8	OS:	Debian Linux
Private report:	No	CVE-ID:	None

[2009-01-26 16:54 UTC] felix-php at 7val dot com

Description:
------------
A call to DOMDocument::load() or ::loadXML() in recovery mode leads to segmentation fault in dom_document_parser) when the XML declaration contains an unknown (and unrecoverable) encoding.

The segfault occurs in document.c +1690 when trying to access properties of the result document (ret), which is NULL in this case:

  if (ret->URL == NULL && ctxt->directory != NULL) {

Reproduce code:
---------------
<?php
$xml = '<?xml version="1.0" encoding="bad"?>';
$dom = new DOMDocument;
$dom->recover = true;
$dom->loadXML($xml);
echo $dom->saveXML();

Expected result:
----------------
<?xml version="1.0"?>

Actual result:
--------------
Segmentation Fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-01-26 20:05 UTC] rrichards@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.