diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/xml/tests/bug72085.phpt | 74 | ||||
| -rw-r--r-- | ext/xml/xml.c | 3 |
3 files changed, 79 insertions, 1 deletions
@@ -25,6 +25,9 @@ PHP NEWS . Fixed bug #72823 (strtr out-of-bound access). (cmb) . Fixed bug #72278 (getimagesize returning FALSE on valid jpg). (cmb) +- XML: + . Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb) + 18 Aug 2016, PHP 5.6.25 - Core: diff --git a/ext/xml/tests/bug72085.phpt b/ext/xml/tests/bug72085.phpt new file mode 100644 index 0000000000..2989289cb1 --- /dev/null +++ b/ext/xml/tests/bug72085.phpt @@ -0,0 +1,74 @@ +--TEST-- +Bug #72085 (SEGV on unknown address zif_xml_parse) +--SKIPIF-- +<?php +if (!extension_loaded('xml')) die('skip xml extension not available'); +?> +--FILE-- +<?php +$var1 = xml_parser_create_ns(); +xml_set_element_handler($var1, new Exception(""), 4096); +xml_parse($var1, str_repeat("<a>", 10)); +?> +===DONE=== +--EXPECTF-- +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d + +Warning: Invalid callback exception 'Exception' in %s%ebug72085.php:%d +Stack trace: +#0 {main}, no array or string given in %s%ebug72085.php on line %d + +Warning: xml_parse(): Unable to call handler in %s%ebug72085.php on line %d +===DONE=== diff --git a/ext/xml/xml.c b/ext/xml/xml.c index 0850f0c605..9eba47be26 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -535,7 +535,8 @@ static zval *xml_call_handler(xml_parser *parser, zval *handler, zend_function * if (Z_TYPE_P(handler) == IS_STRING) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call handler %s()", Z_STRVAL_P(handler)); - } else if (zend_hash_index_find(Z_ARRVAL_P(handler), 0, (void **) &obj) == SUCCESS && + } else if (Z_TYPE_P(handler) == IS_ARRAY && + zend_hash_index_find(Z_ARRVAL_P(handler), 0, (void **) &obj) == SUCCESS && zend_hash_index_find(Z_ARRVAL_P(handler), 1, (void **) &method) == SUCCESS && Z_TYPE_PP(obj) == IS_OBJECT && Z_TYPE_PP(method) == IS_STRING) { |