From c11b23c46577e30e1e0a7c0abfb4c7ea735c34e1 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 14 Feb 2016 23:35:29 -0800
Subject: Fix bug #71540 - NULL pointer dereference in xsl_ext_function_php()

---
 NEWS                        |  4 +++
 ext/xsl/tests/bug71540.phpt | 67 +++++++++++++++++++++++++++++++++++++++++++++
 ext/xsl/xsltprocessor.c     |  4 +++
 3 files changed, 75 insertions(+)
 create mode 100644 ext/xsl/tests/bug71540.phpt

diff --git a/NEWS b/NEWS
index 51a9555505..5d641b4f1d 100644
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
 - Standard:
   . Fixed bug #70720 (strip_tags improper php code parsing). (Julien)
 
+- XSL:
+  . Fixed bug #71540 (NULL pointer dereference in xsl_ext_function_php()).
+    (Stas)
+
 - Zip:
   . Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo). (Laruence)
 
diff --git a/ext/xsl/tests/bug71540.phpt b/ext/xsl/tests/bug71540.phpt
new file mode 100644
index 0000000000..e93fb0e125
--- /dev/null
+++ b/ext/xsl/tests/bug71540.phpt
@@ -0,0 +1,67 @@
+--TEST--
+Bug #71540 (NULL pointer dereference in xsl_ext_function_php())
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+$xml = <<<EOB
+<allusers>
+ <user>
+  <uid>bob</uid>
+ </user>
+</allusers>
+EOB;
+$xsl = <<<EOB
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" 
+     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+     xmlns:php="http://php.net/xsl">
+<xsl:output method="html" encoding="utf-8" indent="yes"/>
+ <xsl:template match="allusers">
+  <html><body>
+    <h2>Users</h2>
+    <table>
+    <xsl:for-each select="user">
+      <tr><td>
+        <xsl:value-of
+             select="php:function('test',uid,test(test))"/>
+      </td></tr>
+    </xsl:for-each>
+    </table>
+  </body></html>
+ </xsl:template>
+</xsl:stylesheet>
+EOB;
+
+$xmldoc = new DOMDocument();
+$xmldoc->loadXML($xml);
+$xsldoc = new DOMDocument();
+$xsldoc->loadXML($xsl);
+
+$proc = new XSLTProcessor();
+$proc->registerPHPFunctions();
+$proc->importStyleSheet($xsldoc);
+echo $proc->transformToXML($xmldoc);
+?>
+DONE
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): xmlXPathCompOpEval: function test not found in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): Unregistered function in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): Stack usage errror in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): Stack usage errror in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 2 objects left on the stack. in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line 13 element value-of in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): XPath evaluation returned no result. in %sbug71540.php on line %d
+<html xmlns:php="http://php.net/xsl"><body>
+<h2>Users</h2>
+<table><tr><td></td></tr></table>
+</body></html>
+DONE
\ No newline at end of file
diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index 691c78c470..5d34651930 100644
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -239,6 +239,10 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
 	for (i = nargs - 2; i >= 0; i--) {
 		obj = valuePop(ctxt);
 		MAKE_STD_ZVAL(args[i]);
+		if (obj == NULL) {
+			ZVAL_NULL(args[i]);
+			continue;
+		}
 		switch (obj->type) {
 			case XPATH_STRING:
 				ZVAL_STRING(args[i],  obj->stringval, 1);
-- 
cgit v1.2.1