GNOME Bugzilla – Bug 109327
xinclude illegal memory access (of realloced mem)
Last modified: 2009-08-15 18:40:50 UTC
Preface: ======== This was on libxml2 v2.5.5 (but your version numbers stop at 2.5.2 in the bugzilla interface) Brief: ====== xinclude.c:250 reallocs the urlTab and stores the result pointer in the current context, while outer contexts remain to point to the original location. If realloc moves the enlarged memory block (which it is allowed to and does if it can't extend it in-place), accesses to the urlTab array stored in the outer contexts (as soon as they become current again) reference a memory region that does not contain the urlTab char** array anymore (since it was moved) - so its a dangling pointer reference with whatever it might lead to in the particular case (luckily SEGV in mine). Details: ======== Program received signal SIGSEGV, Segmentation fault. 0x40080fb4 in xmlStrEqual ( str1=0x8b8c421 "./xml/userguide/step-by-step/ssh/intro.xml", str2=0x74686264 <Address 0x74686264 out of bounds>) at /proj/vssad/local/src/l/libxml2-2.5.5/parser.c:1317 1317 if (*str1++ != *str2) return(0); (gdb) bt
+ Trace 35315
***** so the problem is in the recursion check loop (gdb) p URL $1 = (xmlChar *) 0x8b8c420 "../xml/userguide/step-by-step/ssh/intro.xml" ***** URL looks right (gdb) p *ctxt $2 = {doc = 0x8bb4500, incBase = 14, incNr = 14, incMax = 16, incTab = 0x8bac4f0, txtNr = 0, txtMax = 0, txtTab = 0x0, txturlTab = 0x0, url = 0x8bb4558 "../xml/userguide/step-by-step/ssh/ssh.xml", urlNr = 4, urlMax = 4, urlTab = 0x88c9db8, nbErrors = 0} ***** ctxt looks right (gdb) x/4 ctxt.urlTab 0x88c9db8: 0x74686264 0x40006c6d 0x00656c62 0x08bb4558 ***** urlTab[0] and urlTab[1] look broken though ***** in fact they look like ASCII characters (gdb) p (char*) &ctxt.urlTab[0] $3 = 0x88c9db8 "command" ***** and surprise, they are an ASCII string, in fact they are the name ***** of a tag that was recently parsed Solution: ========= xmlXIncludeRecurseDoc(...) xinclude.c:525 newctxt->urlTab = ctxt->urlTab; copying just the char** seems the wrong thing to do in light of potentially doing a realloc in the no the newctxt->urlTab (xinclude.c:250) since this will invalidate the outer ctxt->urlTab pointer. Either allocate a new copy of the char** (and a copy of the char* pointed to) for newctxt, so the realloc will not free the original ctxt->urlTab, or just have ONE pointer to a urlTab used by all contexts - I don't see a reason why there might be any more than one urlTabs, but I might be missing something. PS: === Don't know if the same problem might also exist with some of the other fields of struct _xmlXIncludeCtxt - did not check.
Hum, right good analysis ! The simplest is to keep a single urlTab for the whole XInclude process, I think the following patch should do it: http://veillard.com/xinclude.c.109327.patch Could you try it and report ? thanks, Daniel
Yeap, your patch fixes the problem for me. - thanks
This should be closed by release of libxml2-2.5.6, thanks, Daniel