[xml/sgml-pkgs] Bug#568382: libxslt1.1: Invalid free() in xslReleaseRVT

Toby Speight T.M.Speight.90 at cantab.net
Thu Feb 4 12:55:32 UTC 2010 

Package: libxslt1.1
Version: 1.1.26-1+b1
Severity: normal

Here's my stylesheet (machine-generated, as you can probably tell):

/--------
| <?xml version="1.0"?>
| <x:stylesheet xmlns:exsl="http://exslt.org/common" xmlns:osmt="http://geotagman.sourceforge.net/" xmlns:x="http://www.w3.org/1999/XSL/Transform" version="1.0"><x:output method="xml"/><x:strip-space elements="node way tag"/><x:template match="node|way|relation"><x:variable name="id307318"><x:apply-templates mode="mid307318" select="."/></x:variable><x:variable name="id307351"><x:apply-templates mode="mid307351" select="exsl:node-set($id307318)"/></x:variable><x:copy-of select="exsl:node-set($id307351)"/></x:template>
|   <x:template mode="mid307318" match="node|way|relation"><x:variable name="vid307322">b(ar)*baz</x:variable><x:choose><x:when test="tag[@k='a' and osmt:regexp($vid307322, at v)]"><x:variable name="id307335"><x:apply-templates mode="mid307335" select="."/></x:variable><x:copy-of select="exsl:node-set($id307335)"/></x:when><x:otherwise><x:variable name="id307343"><x:apply-templates mode="mid307343" select="."/></x:variable><x:copy-of select="exsl:node-set($id307343)"/></x:otherwise></x:choose></x:template><x:template mode="mid307335" match="node|way|relation"><x:copy><x:copy-of select="@*|nd|member|tag[@k!='cp']"/><x:element name="tag"><x:attribute name="k">cp</x:attribute><x:attribute name="v">true</x:attribute></x:element></x:copy></x:template><x:template mode="mid307343" match="node|way|relation"><x:copy><x:copy-of select="@*|nd|member|tag[@k!='cp']"/><x:element name="tag"><x:attribute name="k">cp</x:attribute><x:attribute name="v">false</x:attribute></x:element></x:copy></x:template>
|   <x:template mode="mid307351" match="node|way|relation"><x:variable name="vid307355">(?i)foo.*bar</x:variable><x:choose><x:when test="tag[@k='a' and osmt:regexp($vid307355, at v)]"><x:variable name="id307368"><x:apply-templates mode="mid307368" select="."/></x:variable><x:copy-of select="exsl:node-set($id307368)"/></x:when><x:otherwise><x:variable name="id307376"><x:apply-templates mode="mid307376" select="."/></x:variable><x:copy-of select="exsl:node-set($id307376)"/></x:otherwise></x:choose></x:template><x:template mode="mid307368" match="node|way|relation"><x:copy><x:copy-of select="@*|nd|member|tag[@k!='ci']"/><x:element name="tag"><x:attribute name="k">ci</x:attribute><x:attribute name="v">true</x:attribute></x:element></x:copy></x:template><x:template mode="mid307376" match="node|way|relation"><x:copy><x:copy-of select="@*|nd|member|tag[@k!='ci']"/><x:element name="tag"><x:attribute name="k">ci</x:attribute><x:attribute name="v">false</x:attribute></x:element></x:copy></x:template>
| <x:template match="osm|bound"><x:copy><x:copy-of select="@*"/><x:apply-templates/></x:copy></x:template><x:template match="*"><x:message terminate="yes">Unrecognised element "<x:value-of select="name()"/>"</x:message></x:template></x:stylesheet>
\--------

The extension functions are in Perl:

/--------
| my $osmt_uri = "http://geotagman.sourceforge.net/";
| XML::LibXSLT->register_function($osmt_uri, "eqci",
|                                 # case-insensitive string compare
|                                 sub {
|                                     return uc(shift) eq uc(shift);
|                                 });
| XML::LibXSLT->register_function($osmt_uri, "regexp",
|                                 # regexp compare
|                                 sub {
|                                     my ($pattern, $string) = @_;
|                                     return $string =~ /$pattern/;
|                                 });
\--------

And I sometimes get a plain segfault, and sometimes get a glibc catch:

/--------
| *** glibc detected *** /usr/bin/perl: free(): invalid pointer: 0x00000000023d4a70 ***
| ======= Backtrace: =========
| /lib/libc.so.6[0x7f4dfa6ffd56]
| /lib/libc.so.6(cfree+0x6c)[0x7f4dfa7049bc]
| /usr/lib/libxml2.so.2(xmlHashFree+0xf7)[0x7f4df9ae4057]
| /usr/lib/libxslt.so.1(xsltReleaseRVT+0x7d)[0x7f4df94398dd]
| /usr/lib/libxslt.so.1[0x7f4df94399a0]
| /usr/lib/libxslt.so.1(xsltFreeStackElemList+0x18)[0x7f4df9439f08]
| /usr/lib/libxslt.so.1(xsltLocalVariablePop+0x39)[0x7f4df9448a39]
| /usr/lib/libxslt.so.1[0x7f4df9449ee4]
| /usr/lib/libxslt.so.1[0x7f4df944b226]
| /usr/lib/libxslt.so.1(xsltProcessOneNode+0x87)[0x7f4df944ba57]
| /usr/lib/libxslt.so.1(xsltApplyTemplates+0x409)[0x7f4df944c709]
| /usr/lib/libxslt.so.1[0x7f4df9449b8a]
| /usr/lib/libxslt.so.1(xsltCopy+0x6a)[0x7f4df944d6da]
| /usr/lib/libxslt.so.1[0x7f4df9449b8a]
| /usr/lib/libxslt.so.1[0x7f4df944b226]
| /usr/lib/libxslt.so.1(xsltProcessOneNode+0x87)[0x7f4df944ba57]
| /usr/lib/libxslt.so.1(xsltProcessOneNode+0x65d)[0x7f4df944c02d]
| /usr/lib/libxslt.so.1[0x7f4df944f37a]
| /usr/lib/perl5/auto/XML/LibXSLT/LibXSLT.so(XS_XML__LibXSLT__Stylesheet_transform+0x483)[0x7f4df9667d43]
| /usr/lib/libperl.so.5.10(Perl_pp_entersub+0x5a5)[0x7f4dfb12fd25]
| /usr/lib/libperl.so.5.10(Perl_runops_standard+0x16)[0x7f4dfb12e266]
| /usr/lib/libperl.so.5.10(perl_run+0x33c)[0x7f4dfb0d32ec]
| /usr/bin/perl(main+0xec)[0x400d3c]
| /lib/libc.so.6(__libc_start_main+0xfd)[0x7f4dfa6adabd]
| /usr/bin/perl[0x400b89]
| ======= Memory map: ========
| 00400000-00401000 r-xp 00000000 08:09 742238                             /usr/bin/perl
| 00601000-00602000 rw-p 00001000 08:09 742238                             /usr/bin/perl
| 01db8000-024d2000 rw-p 00000000 00:00 0                                  [heap]
| 7f4df4000000-7f4df4021000 rw-p 00000000 00:00 0 
| 7f4df4021000-7f4df8000000 ---p 00000000 00:00 0 
| 7f4df8331000-7f4df8347000 r-xp 00000000 08:01 145168                     /lib/libgcc_s.so.1
| 7f4df8347000-7f4df8546000 ---p 00016000 08:01 145168                     /lib/libgcc_s.so.1
| 7f4df8546000-7f4df8547000 rw-p 00015000 08:01 145168                     /lib/libgcc_s.so.1
| 7f4df8547000-7f4df8551000 r-xp 00000000 08:09 982997                     /usr/lib/perl/5.10.1/auto/Encode/Encode.so
| 7f4df8551000-7f4df8750000 ---p 0000a000 08:09 982997                     /usr/lib/perl/5.10.1/auto/Encode/Encode.so
| 7f4df8750000-7f4df8751000 rw-p 00009000 08:09 982997                     /usr/lib/perl/5.10.1/auto/Encode/Encode.so
| 7f4df8751000-7f4df8755000 r-xp 00000000 08:09 982963                     /usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so
| 7f4df8755000-7f4df8954000 ---p 00004000 08:09 982963                     /usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so
| 7f4df8954000-7f4df8955000 rw-p 00003000 08:09 982963                     /usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so
| 7f4df8955000-7f4df897b000 r-xp 00000000 08:09 895893                     /usr/lib/libexpat.so.1.5.2
| 7f4df897b000-7f4df8b7b000 ---p 00026000 08:09 895893                     /usr/lib/libexpat.so.1.5.2
| 7f4df8b7b000-7f4df8b7d000 rw-p 00026000 08:09 895893                     /usr/lib/libexpat.so.1.5.2
| 7f4df8b7d000-7f4df8b94000 r-xp 00000000 08:09 939004                     /usr/lib/perl5/auto/XML/Parser/Expat/Expat.so
| 7f4df8b94000-7f4df8d93000 ---p 00017000 08:09 939004                     /usr/lib/perl5/auto/XML/Parser/Expat/Expat.so
| 7f4df8d93000-7f4df8d94000 rw-p 00016000 08:09 939004                     /usr/lib/perl5/auto/XML/Parser/Expat/Expat.so
| 7f4df8d94000-7f4df8d97000 r-xp 00000000 08:09 162965                     /usr/lib/libgpg-error.so.0.4.0
| 7f4df8d97000-7f4df8f96000 ---p 00003000 08:09 162965                     /usr/lib/libgpg-error.so.0.4.0
| 7f4df8f96000-7f4df8f97000 rw-p 00002000 08:09 162965                     /usr/lib/libgpg-error.so.0.4.0
| 7f4df8f97000-7f4df9009000 r-xp 00000000 08:09 895955                     /usr/lib/libgcrypt.so.11.5.2
| 7f4df9009000-7f4df9209000 ---p 00072000 08:09 895955                     /usr/lib/libgcrypt.so.11.5.2
| 7f4df9209000-7f4df920d000 rw-p 00072000 08:09 895955                     /usr/lib/libgcrypt.so.11.5.2
| 7f4df920d000-7f4df9220000 r-xp 00000000 08:09 896666                     /usr/lib/libexslt.so.0.8.15
| 7f4df9220000-7f4df9420000 ---p 00013000 08:09 896666                     /usr/lib/libexslt.so.0.8.15
| 7f4df9420000-7f4df9421000 rw-p 00013000 08:09 896666                     /usr/lib/libexslt.so.0.8.15
| 7f4df9421000-7f4df945c000 r-xp 00000000 08:09 897220                     /usr/lib/libxslt.so.1.1.26
| 7f4df945c000-7f4df965b000 ---p 0003b000 08:09 897220                     /usr/lib/libxslt.so.1.1.26
| 7f4df965b000-7f4df965d000 rw-p 0003a000 08:09 897220                     /usr/lib/libxslt.so.1.1.26
| 7f4df965d000-7f4df966d000 r-xp 00000000 08:09 980589                     /usr/lib/perl5/auto/XML/LibXSLT/LibXSLT.so
| 7f4df966d000-7f4df986d000 ---p 00010000 08:09 980589                     /usr/lib/perl5/auto/XML/LibXSLT/LibXSLT.so
| 7f4df986d000-7f4df986e000 rw-p 00010000 08:09 980589                     /usr/lib/perl5/auto/XML/LibXSLT/LibXSLT.so
| 7f4df986e000-7f4df9885000 r-xp 00000000 08:09 896039                     /usr/lib/libz.so.1.2.3.4
| 7f4df9885000-7f4df9a84000 ---p 00017000 08:09 896039                Aborted
\--------

I can provide more help in reproducing if necessary (but I haven't been
able to reduce to a smaller test case).

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (900, 'stable'), (400, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libxslt1.1 depends on:
ii  libc6                    2.10.2-2        GNU C Library: Shared libraries
ii  libgcrypt11              1.4.4-6         LGPL Crypto library - runtime libr
ii  libxml2                  2.7.6.dfsg-2+b1 GNOME XML library

libxslt1.1 recommends no packages.

libxslt1.1 suggests no packages.

-- no debconf information

More information about the debian-xml-sgml-pkgs mailing list