After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 351032 - heap corruption in xmlschemas.c: xmlSchemaXPathEvaluate
heap corruption in xmlschemas.c: xmlSchemaXPathEvaluate
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
2.6.x
Other All
: Normal critical
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
: 350247 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2006-08-12 11:45 UTC by Marton ILLES
Modified: 2006-08-15 12:29 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Marton ILLES 2006-08-12 11:45:13 UTC 
Steps to reproduce:
Create a schema with a unique check, using ".//*" as a selector xpath on a more than 5 level deep xml tree.

Stack trace:
*** glibc detected *** free(): invalid next size (fast): 0x08640848 ***
Aborted (core dumped)


(gdb) bt

+ Trace 70298

  • #0 __kernel_vsyscall
  • #1 raise
    from /lib/tls/i686/cmov/libc.so.6
  • #2 abort
    from /lib/tls/i686/cmov/libc.so.6
  • #3 __libc_message
    from /lib/tls/i686/cmov/libc.so.6
  • #4 _int_free
    from /lib/tls/i686/cmov/libc.so.6
  • #5 free
    from /lib/tls/i686/cmov/libc.so.6
  • #6 xmlSchemaFreeIDCStateObjList
    at xmlschemas.c line 3843
  • #7 xmlSchemaFreeValidCtxt__internal_alias
    at xmlschemas.c line 27204
  • #8 zif_dom_document_validate
  • #9 execute
  • #10 execute
  • #11 zend_execute_scripts
  • #12 php_execute_script
  • #13 main 


Other information:
--- /tmp/libxml2-2.6.24.dfsg/xmlschemas.c       2006-04-21 19:28:02.000000000 +0200
+++ xmlschemas.c        2006-08-11 13:57:16.000000000 +0200
@@ -22156,7 +22156,7 @@
                    "allocating the state object history", NULL);
                return(-1);
            }
-           sto->sizeHistory = 10;
+           sto->sizeHistory = 5;
        } else if (sto->sizeHistory <= sto->nbHistory) {
            sto->sizeHistory *= 2;
            sto->history = (int *) xmlRealloc(sto->history,
Comment 1 Daniel Veillard 2006-08-12 13:44:01 UTC 
Okay, this looks like a stupid mistake and the patch seems correct,
so I applied it in CVS. Could you please provide a full exammple
(XML/XSD) reproducing this to add to teh test suite.

 thanks !

Daniel
Comment 2 kbuchcik 2006-08-15 12:29:28 UTC 
*** Bug 350247 has been marked as a duplicate of this bug. ***