Merge branch 'PHP-5.6' into PHP-7.0

3 files changed, 78 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index d17a9365a4..e9c1b73b61 100644
--- a/NEWS
+++ b/NEWS
@@ -47,6 +47,8 @@ PHP                                                                        NEWS
   . Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails
     with IIS FTP 7.5, 8.5). (vhuk)
 
+- XML:
+  . Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb)
 
 ?? ??? 2016 PHP 7.0.10
 
diff --git a/ext/xml/tests/bug72085.phpt b/ext/xml/tests/bug72085.phpt
new file mode 100644
index 0000000000..44ae1f1cde
--- /dev/null
+++ b/ext/xml/tests/bug72085.phpt
@@ -0,0 +1,74 @@
+--TEST--
+Bug #72085 (SEGV on unknown address zif_xml_parse)
+--SKIPIF--
+<?php
+if (!extension_loaded('xml')) die('skip xml extension not available');
+?>
+--FILE--
+<?php
+$var1 = xml_parser_create_ns();
+xml_set_element_handler($var1, new Exception(""), 4096);
+xml_parse($var1,  str_repeat("<a>", 10));
+?>
+===DONE===
+--EXPECTF--
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+
+Warning: Invalid callback Exception in %s%ebug72085.php:%d
+Stack trace:
+#0 {main}, no array or string given in %s%ebug72085.php on line %d
+
+Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d
+===DONE===
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index d788b9b0b8..aabb414157 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -500,7 +500,8 @@ static void xml_call_handler(xml_parser *parser, zval *handler, zend_function *f
 
 			if (Z_TYPE_P(handler) == IS_STRING) {
 				php_error_docref(NULL, E_WARNING, "Unable to call handler %s()", Z_STRVAL_P(handler));
-			} else if ((obj = zend_hash_index_find(Z_ARRVAL_P(handler), 0)) != NULL &&
+			} else if (Z_TYPE_P(handler) == IS_ARRAY &&
+					   (obj = zend_hash_index_find(Z_ARRVAL_P(handler), 0)) != NULL &&
 					   (method = zend_hash_index_find(Z_ARRVAL_P(handler), 1)) != NULL &&
 					   Z_TYPE_P(obj) == IS_OBJECT &&
 					   Z_TYPE_P(method) == IS_STRING) {