diff options
| author | Antony Dovgal <tony2001@php.net> | 2006-08-06 17:41:51 +0000 |
|---|---|---|
| committer | Antony Dovgal <tony2001@php.net> | 2006-08-06 17:41:51 +0000 |
| commit | 07b5c8fe2a5f3a3714641c543a9d9e12799ac1bb (patch) | |
| tree | af18d79eade0ad8c4095dd6bc859620b4ed918c8 | |
| parent | 861c55b41781cc2fd044c1709cba3a9218add754 (diff) | |
| download | php-git-07b5c8fe2a5f3a3714641c543a9d9e12799ac1bb.tar.gz | |
MFH: fix #38347 (Segmentation fault when using foreach with an unknown/empty SimpleXMLElement)
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/libxml/libxml.c | 4 | ||||
| -rw-r--r-- | ext/simplexml/simplexml.c | 3 | ||||
| -rw-r--r-- | ext/simplexml/tests/bug38347.phpt | 28 |
4 files changed, 36 insertions, 1 deletions
@@ -30,6 +30,8 @@ PHP NEWS - Fixed phpinfo() cutoff of variables at \0. (Ilia) - Fixed a bug in the filter extension that prevented magic_quotes_gpc from being applied when RAW filter is used. (Ilia) +- Fixed bug #38347 (Segmentation fault when using foreach with an unknown/empty + SimpleXMLElement). (Tony) - Fixed bug #38322 (reading past array in sscanf() leads to arbitary code execution). (Tony) - Fixed bug #38303 (spl_autoload_register() supress all errors silently). diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c index 7326d57a3c..80b6697236 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c @@ -966,8 +966,8 @@ int php_libxml_decrement_doc_ref(php_libxml_node_object *object TSRMLS_DC) { efree(object->document->doc_props); } efree(object->document); + object->document = NULL; } - object->document = NULL; } return ret_refcount; @@ -1025,6 +1025,8 @@ void php_libxml_node_decrement_resource(php_libxml_node_object *object TSRMLS_DC obj_node->_private = NULL; } } + } + if (object != NULL && object->document != NULL) { /* Safe to call as if the resource were freed then doc pointer is NULL */ php_libxml_decrement_doc_ref(object TSRMLS_CC); } diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index 22757412ca..7a3a335deb 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -195,6 +195,9 @@ static xmlNodePtr sxe_get_element_by_name(php_sxe_object *sxe, xmlNodePtr node, if (sxe->iter.type == SXE_ITER_ELEMENT) { orgnode = sxe_find_element_by_name(sxe, node, sxe->iter.name TSRMLS_CC); + if (!orgnode) { + return NULL; + } node = orgnode->children; } diff --git a/ext/simplexml/tests/bug38347.phpt b/ext/simplexml/tests/bug38347.phpt new file mode 100644 index 0000000000..c25fccea24 --- /dev/null +++ b/ext/simplexml/tests/bug38347.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug #38347 (Segmentation fault when using foreach with an unknown/empty SimpleXMLElement) +--SKIPIF-- +<?php if (!extension_loaded("simplexml")) print "skip"; ?> +--FILE-- +<?php + +function iterate($xml) +{ + print_r($xml); + foreach ($xml->item as $item) { + echo "This code will crash!"; + } +} + +$xmlstr = "<xml><item>Item 1</item><item>Item 2</item></xml>"; +$xml = simplexml_load_string($xmlstr); +iterate($xml->unknown); + +echo "Done\n"; +?> +--EXPECTF-- +SimpleXMLElement Object +( +) + +Warning: iterate(): Node no longer exists in %s on line %d +Done |