python crash or exception during XPath query
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxml |
Confirmed
|
High
|
Unassigned |
Bug Description
If a program executes a XPath query and deletes nodes that are members of the XPath result set at the very same time, a python crash or an exception can occur.
I attached two scripts, to demonstrate this issue. The first script is single threaded and uses a python xpath extension function to delete a node, that is part of the xpath result set. This example is simple to analyse, but not likely to occur in reality. The second example uses two threads. It is more realistic, and reproduces the situation in a real world application.
For reference
Python : sys.version_
lxml.etree : (2, 3, 3, 0)
libxml used : (2, 7, 8)
libxml compiled : (2, 7, 8)
libxslt used : (1, 1, 26)
libxslt compiled : (1, 1, 26)
Details to reproduce the bug:
Run
python lxmlbug-
or
python lxmlbug-threaded.py
Expected result:
- Output OK or
- Python crash (usually a segmentation fault (Unix) or access violation (Windows)
- Exception:
File "lxml.etree.pyx", line 1447, in lxml.etree.
File "xpath.pxi", line 321, in lxml.etree.
File "xpath.pxi", line 242, in lxml.etree.
File "extensions.pxi", line 546, in lxml.etree.
File "extensions.pxi", line 580, in lxml.etree.
File "extensions.pxi", line 627, in lxml.etree.
NotImplementedE
Security Issues
This bug is probably a typical "access after free" issue. I don't think it is exploitable, but experts should look at it.
This is how I discovered the problem.