diff options
Diffstat (limited to 'ext/simplexml/simplexml.c')
-rw-r--r-- | ext/simplexml/simplexml.c | 49 |
1 files changed, 40 insertions, 9 deletions
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index c047d7e235..d848fcac16 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 7 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2015 The PHP Group | + | Copyright (c) 1997-2016 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -64,7 +64,7 @@ static void php_sxe_iterator_rewind(zend_object_iterator *iter); /* {{{ _node_as_zval() */ -static void _node_as_zval(php_sxe_object *sxe, xmlNodePtr node, zval *value, SXE_ITER itertype, char *name, const char *nsprefix, int isprefix) +static void _node_as_zval(php_sxe_object *sxe, xmlNodePtr node, zval *value, SXE_ITER itertype, char *name, const xmlChar *nsprefix, int isprefix) { php_sxe_object *subnode; @@ -76,7 +76,7 @@ static void _node_as_zval(php_sxe_object *sxe, xmlNodePtr node, zval *value, SXE subnode->iter.name = (xmlChar*)estrdup(name); } if (nsprefix && *nsprefix) { - subnode->iter.nsprefix = (xmlChar*)estrdup(nsprefix); + subnode->iter.nsprefix = (xmlChar*)estrdup((char*)nsprefix); subnode->iter.isprefix = isprefix; } @@ -978,7 +978,7 @@ static inline zend_string *sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr li /* {{{ _get_base_node_value() */ -static void _get_base_node_value(php_sxe_object *sxe_ref, xmlNodePtr node, zval *value, char *nsprefix, int isprefix) +static void _get_base_node_value(php_sxe_object *sxe_ref, xmlNodePtr node, zval *value, xmlChar *nsprefix, int isprefix) { php_sxe_object *subnode; xmlChar *contents; @@ -994,7 +994,7 @@ static void _get_base_node_value(php_sxe_object *sxe_ref, xmlNodePtr node, zval subnode->document = sxe_ref->document; subnode->document->refcount++; if (nsprefix && *nsprefix) { - subnode->iter.nsprefix = (xmlChar*)estrdup(nsprefix); + subnode->iter.nsprefix = (xmlChar*)estrdup((char *)nsprefix); subnode->iter.isprefix = isprefix; } php_libxml_increment_node_ptr((php_libxml_node_object *)subnode, node, NULL); @@ -1186,7 +1186,7 @@ static HashTable *sxe_get_prop_hash(zval *object, int is_debug) /* {{{ */ node = NULL; } else if (sxe->iter.type != SXE_ITER_CHILD) { - if ( sxe->iter.type == SXE_ITER_NONE || !node->children || !node->parent || node->children->next || node->children->children || node->parent->children == node->parent->last ) { + if ( sxe->iter.type == SXE_ITER_NONE || !node->children || !node->parent || !node->next || node->children->next || node->children->children || node->parent->children == node->parent->last ) { node = node->children; } else { ZVAL_COPY_VALUE(&iter_data, &sxe->iter.data); @@ -2206,7 +2206,12 @@ PHP_FUNCTION(simplexml_load_file) return; } - docp = xmlReadFile(filename, NULL, options); + if (ZEND_LONG_EXCEEDS_INT(options)) { + php_error_docref(NULL, E_WARNING, "Invalid options"); + RETURN_FALSE; + } + + docp = xmlReadFile(filename, NULL, (int)options); if (!docp) { RETURN_FALSE; @@ -2247,7 +2252,20 @@ PHP_FUNCTION(simplexml_load_string) return; } - docp = xmlReadMemory(data, data_len, NULL, NULL, options); + if (ZEND_SIZE_T_INT_OVFL(data_len)) { + php_error_docref(NULL, E_WARNING, "Data is too long"); + RETURN_FALSE; + } + if (ZEND_SIZE_T_INT_OVFL(ns_len)) { + php_error_docref(NULL, E_WARNING, "Namespace is too long"); + RETURN_FALSE; + } + if (ZEND_LONG_EXCEEDS_INT(options)) { + php_error_docref(NULL, E_WARNING, "Invalid options"); + RETURN_FALSE; + } + + docp = xmlReadMemory(data, (int)data_len, NULL, NULL, (int)options); if (!docp) { RETURN_FALSE; @@ -2284,7 +2302,20 @@ SXE_METHOD(__construct) return; } - docp = is_url ? xmlReadFile(data, NULL, options) : xmlReadMemory(data, data_len, NULL, NULL, options); + if (ZEND_SIZE_T_INT_OVFL(data_len)) { + php_error_docref(NULL, E_WARNING, "Data is too long"); + RETURN_FALSE; + } + if (ZEND_SIZE_T_INT_OVFL(ns_len)) { + php_error_docref(NULL, E_WARNING, "Namespace is too long"); + RETURN_FALSE; + } + if (ZEND_LONG_EXCEEDS_INT(options)) { + php_error_docref(NULL, E_WARNING, "Invalid options"); + RETURN_FALSE; + } + + docp = is_url ? xmlReadFile(data, NULL, (int)options) : xmlReadMemory(data, (int)data_len, NULL, NULL, (int)options); if (!docp) { ((php_libxml_node_object *)sxe)->document = NULL; |