diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2021-03-17 12:39:06 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2021-03-17 12:40:03 +0100 |
commit | fddd0ac5520916b6ea3852b6b0d75b1f7ede8095 (patch) | |
tree | e2d38d8c4555e0b69988107e6149f4c73738cbeb | |
parent | c7fadd23282b105adbdd17692734bc2940831d62 (diff) | |
parent | a08847ab39bb512d500cf196981a3e8780c83600 (diff) | |
download | php-git-fddd0ac5520916b6ea3852b6b0d75b1f7ede8095.tar.gz |
Merge branch 'PHP-7.4' into PHP-8.0
* PHP-7.4:
Fix #66783: UAF when appending DOMDocument to element
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/dom/php_dom.c | 10 | ||||
-rw-r--r-- | ext/dom/tests/bug66783.phpt | 19 |
3 files changed, 29 insertions, 3 deletions
@@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2021, PHP 8.0.5 +- DOM: + . Fixed bug #66783 (UAF when appending DOMDocument to element). (cmb) + - FFI: . Fixed bug #80847 (CData structs with fields of type struct can't be passed as C function argument). (Nickolas Daniel da Silva, Dmitry) diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c index 78d22f6a5e..351c138622 100644 --- a/ext/dom/php_dom.c +++ b/ext/dom/php_dom.c @@ -1243,9 +1243,13 @@ int dom_hierarchy(xmlNodePtr parent, xmlNodePtr child) { xmlNodePtr nodep; - if (parent == NULL || child == NULL || child->doc != parent->doc) { - return SUCCESS; - } + if (parent == NULL || child == NULL || child->doc != parent->doc) { + return SUCCESS; + } + + if (child->type == XML_DOCUMENT_NODE) { + return FAILURE; + } nodep = parent; diff --git a/ext/dom/tests/bug66783.phpt b/ext/dom/tests/bug66783.phpt new file mode 100644 index 0000000000..98981a88f6 --- /dev/null +++ b/ext/dom/tests/bug66783.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #66783 (UAF when appending DOMDocument to element) +--SKIPIF-- +<?php +if (!extension_loaded('dom')) die('skip dom extension not available'); +?> +--FILE-- +<?php +$doc = new DomDocument; +$doc->loadXML('<root></root>'); +$e = $doc->createElement('e'); +try { + $e->appendChild($doc); +} catch (DOMException $ex) { + echo $ex->getMessage(), PHP_EOL; +} +?> +--EXPECTF-- +Hierarchy Request Error |