From 3a7b0027f32881710ff64278a4f98b7e052578d2 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 21 Jul 2017 18:16:11 +0800
Subject: Fixed bug #74950 (nullpointer deref in
 simplexml_element_getDocNamespaces)

---
 ext/simplexml/simplexml.c         | 12 ++++++------
 ext/simplexml/tests/bug74950.phpt | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 ext/simplexml/tests/bug74950.phpt

(limited to 'ext/simplexml')

diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index b8b5c37931..0637e06af8 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -2321,16 +2321,16 @@ SXE_METHOD(__construct)
 	}
 
 	if (ZEND_SIZE_T_INT_OVFL(data_len)) {
-		php_error_docref(NULL, E_WARNING, "Data is too long");
-		RETURN_FALSE;
+		zend_throw_exception(zend_ce_exception, "Data is too long", 0);
+		return;
 	}
 	if (ZEND_SIZE_T_INT_OVFL(ns_len)) {
-		php_error_docref(NULL, E_WARNING, "Namespace is too long");
-		RETURN_FALSE;
+		zend_throw_exception(zend_ce_exception, "Namespace is too long", 0);
+		return;
 	}
 	if (ZEND_LONG_EXCEEDS_INT(options)) {
-		php_error_docref(NULL, E_WARNING, "Invalid options");
-		RETURN_FALSE;
+		zend_throw_exception(zend_ce_exception, "Invalid options", 0);
+		return;
 	}
 
 	docp = is_url ? xmlReadFile(data, NULL, (int)options) : xmlReadMemory(data, (int)data_len, NULL, NULL, (int)options);
diff --git a/ext/simplexml/tests/bug74950.phpt b/ext/simplexml/tests/bug74950.phpt
new file mode 100644
index 0000000000..f267a07a81
--- /dev/null
+++ b/ext/simplexml/tests/bug74950.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #74950 (null pointer deref in zim_simplexml_element_getDocNamespaces)
+--SKIPIF--
+<?php
+if (!extension_loaded("simplexml")) die("skip SimpleXML not available");
+?>
+--FILE--
+<?php
+$xml=new SimpleXMLElement(0,9000000000);var_dump($xml->getDocNamespaces())?>
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Invalid options in %sbug74950.php:%d
+Stack trace:
+#0 %sbug74950.php(%d): SimpleXMLElement->__construct('0', 9000000000)
+#1 {main}
+  thrown in %sbug74950.php on line %d
-- 
cgit v1.2.1