diff options
author | Xinchen Hui <laruence@gmail.com> | 2019-12-25 12:05:44 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-25 12:33:30 +0100 |
commit | 27bb3289aceb5225e4dd39f082a48823756a8190 (patch) | |
tree | 221ec2a096ba6129a0a2845899220a157311846d | |
parent | 37d11d123e4b8952bf973e372c4062f6d0a7bca8 (diff) | |
download | php-git-27bb3289aceb5225e4dd39f082a48823756a8190.tar.gz |
Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter).
We backport the fix PHP 7.3, since this branch is affected as well.
(cherry picked from commit b5e004379647bd1ebb75eb2eac8826fb6abdd3d8)
(cherry picked from commit e36daa6927c05d2e687bb77495ef206cde118b33)
(cherry picked from commit 2704ee6844c03348de9d15e74646d09007ef0f7c)
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/libxml/libxml.c | 4 | ||||
-rw-r--r-- | ext/xmlwriter/php_xmlwriter.c | 16 | ||||
-rw-r--r-- | ext/xmlwriter/tests/bug79029.phpt | 34 |
4 files changed, 50 insertions, 7 deletions
@@ -17,6 +17,9 @@ PHP NEWS . Fixed bug #78923 (Artifacts when convoluting image with transparency). (wilson chen) +- Libxml: + . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence) + - Pcntl: . Fixed bug #78402 (Converting null to string in error message is bad DX). (SATŌ Kentarō) diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c index b0b94b7c3a..864e5a36fb 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c @@ -358,6 +358,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char context = php_stream_context_from_zval(Z_ISUNDEF(LIBXML(stream_context))? NULL : &LIBXML(stream_context), 0); ret_val = php_stream_open_wrapper_ex(path_to_open, (char *)mode, REPORT_ERRORS, NULL, context); + if (ret_val) { + /* Prevent from closing this by fclose() */ + ((php_stream*)ret_val)->flags |= PHP_STREAM_FLAG_NO_FCLOSE; + } if (isescaped) { xmlFree(resolved_path); } diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c index 16545fd653..24bb9dd182 100644 --- a/ext/xmlwriter/php_xmlwriter.c +++ b/ext/xmlwriter/php_xmlwriter.c @@ -91,13 +91,15 @@ typedef int (*xmlwriter_read_int_t)(xmlTextWriterPtr writer); static void xmlwriter_free_resource_ptr(xmlwriter_object *intern) { if (intern) { - if (intern->ptr) { - xmlFreeTextWriter(intern->ptr); - intern->ptr = NULL; - } - if (intern->output) { - xmlBufferFree(intern->output); - intern->output = NULL; + if (EG(active)) { + if (intern->ptr) { + xmlFreeTextWriter(intern->ptr); + intern->ptr = NULL; + } + if (intern->output) { + xmlBufferFree(intern->output); + intern->output = NULL; + } } efree(intern); } diff --git a/ext/xmlwriter/tests/bug79029.phpt b/ext/xmlwriter/tests/bug79029.phpt new file mode 100644 index 0000000000..2e76a4e409 --- /dev/null +++ b/ext/xmlwriter/tests/bug79029.phpt @@ -0,0 +1,34 @@ +--TEST-- +#79029 (Use After Free's in XMLReader / XMLWriter) +--SKIPIF-- +<?php +if (!extension_loaded("xmlwriter")) print "skip xmlwriter extension not available"; +if (!extension_loaded("xmlreader")) print "skip xmlreader extension not available"; +?> +--FILE-- +<?php +$x = array( new XMLWriter() ); +$x[0]->openUri("bug79029_1.txt"); +$x[0]->startComment(); + +$x = new XMLWriter(); +$x->openUri("bug79029_2.txt"); +fclose(@end(get_resources())); + +file_put_contents("bug79029_3.txt", "a"); +$x = new XMLReader(); +$x->open("bug79029_3.txt"); +fclose(@end(get_resources())); +?> +okey +--CLEAN-- +<?php +@unlink("bug79029_1.txt"); +@unlink("bug79029_2.txt"); +@unlink("bug79029_3.txt"); +?> +--EXPECTF-- +Warning: fclose(): %d is not a valid stream resource in %sbug79029.php on line %d + +Warning: fclose(): %d is not a valid stream resource in %sbug79029.php on line %d +okey |