diff options
| author | Felipe Pena <felipe@php.net> | 2010-04-20 16:24:21 +0000 |
|---|---|---|
| committer | Felipe Pena <felipe@php.net> | 2010-04-20 16:24:21 +0000 |
| commit | df43d76e62638ab7b1014100da8a670d6872bc61 (patch) | |
| tree | 99fccba724fea7a3675598dffb80f860b2dce2ed | |
| parent | 1efc049863c5d2c3eb06fe139f465819663d7260 (diff) | |
| download | php-git-df43d76e62638ab7b1014100da8a670d6872bc61.tar.gz | |
- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML)
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/simplexml/simplexml.c | 11 | ||||
| -rw-r--r-- | ext/simplexml/tests/bug51615.phpt | 22 |
3 files changed, 31 insertions, 3 deletions
@@ -18,6 +18,7 @@ PHP NEWS requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) +- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML). (Felipe) - Fixed bug #51609 (pg_copy_to: Invalid results when using fourth parameter). (Felipe) - Fixed bug #51608 (pg_copy_to: WARNING: nonstandard use of \\ in a string diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index f1843b497f..3f41fc8357 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -988,9 +988,14 @@ static void sxe_dimension_delete(zval *object, zval *offset TSRMLS_DC) static inline char * sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr list, int inLine) /* {{{ */ { xmlChar *tmp = xmlNodeListGetString(doc, list, inLine); - char *res = estrdup((char*)tmp); - - xmlFree(tmp); + char *res; + + if (tmp) { + res = estrdup((char*)tmp); + xmlFree(tmp); + } else { + res = STR_EMPTY_ALLOC(); + } return res; } diff --git a/ext/simplexml/tests/bug51615.phpt b/ext/simplexml/tests/bug51615.phpt new file mode 100644 index 0000000000..c5572f542a --- /dev/null +++ b/ext/simplexml/tests/bug51615.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #51615 (PHP crash with wrong HTML in SimpleXML) +--SKIPIF-- +<?php if (!extension_loaded("simplexml")) print "skip"; ?> +--FILE-- +<?php + +$dom = new DOMDocument; +$dom->loadHTML('<span title=""y">x</span><span title=""z">x</span>'); +$html = simplexml_import_dom($dom); + +foreach ($html->body->span as $obj) { + var_dump((string)$obj->title); +} + +?> +--EXPECTF-- +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d + +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d +string(0) "" +string(0) "" |