Merge branch 'PHP-7.0' into PHP-7.1

3 files changed, 79 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index f7b3c43885..abb9e7e998 100644
--- a/NEWS
+++ b/NEWS
@@ -62,6 +62,9 @@ PHP                                                                        NEWS
     with IIS FTP 7.5, 8.5). (vhuk)
   . Fixed bug #72810 (Missing SKIP_ONLINE_TESTS checks). (vhuk)
 
+- XML:
+  . Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb)
+
 04 Aug 2016, PHP 7.1.0beta2
 
 - Core:
diff --git a/ext/xml/tests/bug72085.phpt b/ext/xml/tests/bug72085.phpt
new file mode 100644
index 0000000000..44ae1f1cde
--- /dev/null
+++ b/ext/xml/tests/bug72085.phpt
@@ -0,0 +1,74 @@
+--TEST--
+Bug #72085 (SEGV on unknown address zif_xml_parse)
+--SKIPIF--
+<?php
+if (!extension_loaded('xml')) die('skip xml extension not available');
+?>
+--FILE--
+<?php
+$var1 = xml_parser_create_ns();
+xml_set_element_handler($var1, new Exception(""), 4096);
+xml_parse($var1,  str_repeat("<a>", 10));
+?>
+===DONE===
+--EXPECTF--
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+===DONE===
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index 72f629ba2c..c08e3818d5 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -498,7 +498,8 @@ static void xml_call_handler(xml_parser *parser, zval *handler, zend_function *f
 
 			if (Z_TYPE_P(handler) == IS_STRING) {
 				php_error_docref(NULL, E_WARNING, "Unable to call handler %s()", Z_STRVAL_P(handler));
-			} else if ((obj = zend_hash_index_find(Z_ARRVAL_P(handler), 0)) != NULL &&
+			} else if (Z_TYPE_P(handler) == IS_ARRAY &&
+					   (obj = zend_hash_index_find(Z_ARRVAL_P(handler), 0)) != NULL &&
 					   (method = zend_hash_index_find(Z_ARRVAL_P(handler), 1)) != NULL &&
 					   Z_TYPE_P(obj) == IS_OBJECT &&
 					   Z_TYPE_P(method) == IS_STRING) {