mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-24 02:15:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.0' into PHP-8.1

Browse Source
This commit is contained in:
George Peter Banyard 2022-08-19 12:52:58 +01:00
commit c36a1ea1ae
5 changed files with 87 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
NEWS
View File

@ -2,6 +2,14 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.1.11
- Core:
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
(Tim Starling)
- DOM:
. Fixed bug #79451 (Using DOMDocument->replaceChild on doctype causes
double free) (NathanFreeman)
- Streams:
. Fixed bug GH-9316 ($http_response_header is wrong for long status line).
(cmb, timwolla)

3
Zend/zend_vm_def.h
View File

@ -4329,6 +4329,7 @@ ZEND_VM_INLINE_HANDLER(62, ZEND_RETURN, CONST|TMP|VAR|CV, ANY, SPEC(OBSERVER))
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -8365,8 +8366,8 @@ ZEND_VM_C_LABEL(check_indirect):
zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
ZVAL_REF(variable_ptr, ref);
SAVE_OPLINE();
if (GC_DELREF(garbage) == 0) {
SAVE_OPLINE();
rc_dtor_func(garbage);
if (UNEXPECTED(EG(exception))) {
ZVAL_NULL(variable_ptr);

12
Zend/zend_vm_execute.h
View File

@ -4217,6 +4217,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CONST_
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -4294,6 +4295,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_OBSER
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -18796,6 +18798,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_TMP_HA
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -21452,6 +21455,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_VAR_HA
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -38320,6 +38324,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CV_HAN
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -43114,8 +43119,8 @@ check_indirect:
zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
ZVAL_REF(variable_ptr, ref);
SAVE_OPLINE();
if (GC_DELREF(garbage) == 0) {
SAVE_OPLINE();
rc_dtor_func(garbage);
if (UNEXPECTED(EG(exception))) {
ZVAL_NULL(variable_ptr);
@ -56002,6 +56007,7 @@ zend_leave_helper_SPEC_LABEL:
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -56080,6 +56086,7 @@ zend_leave_helper_SPEC_LABEL:
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -57613,6 +57620,7 @@ zend_leave_helper_SPEC_LABEL:
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -57918,6 +57926,7 @@ zend_leave_helper_SPEC_LABEL:
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);
@ -59051,6 +59060,7 @@ zend_leave_helper_SPEC_LABEL:
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
ZVAL_COPY_VALUE(return_value, retval_ptr);
if (GC_MAY_LEAK(ref)) {
SAVE_OPLINE();
gc_possible_root(ref);
}
ZVAL_NULL(retval_ptr);

46
ext/dom/node.c
View File

@ -20,6 +20,7 @@
#endif
#include "php.h"
#if defined(HAVE_LIBXML) && defined(HAVE_DOM)
#include "php_dom.h"
@ -1003,6 +1004,7 @@ PHP_METHOD(DOMNode, replaceChild)
xmlNodePtr newchild, oldchild, nodep;
dom_object *intern, *newchildobj, *oldchildobj;
int stricterror;
bool replacedoctype = false;
int ret;
@ -1042,7 +1044,51 @@ PHP_METHOD(DOMNode, replaceChild)
RETURN_FALSE;
}
<<<<<<< HEAD
if (oldchild->parent != nodep) {
=======
/* check for the old child and whether the new child is already a child */
while (children) {
if (children == oldchild) {
foundoldchild = 1;
break;
}
children = children->next;
}
if (foundoldchild) {
if (newchild->type == XML_DOCUMENT_FRAG_NODE) {
xmlNodePtr prevsib, nextsib;
prevsib = oldchild->prev;
nextsib = oldchild->next;
xmlUnlinkNode(oldchild);
newchild = _php_dom_insert_fragment(nodep, prevsib, nextsib, newchild, intern, newchildobj);
if (newchild) {
dom_reconcile_ns(nodep->doc, newchild);
}
} else if (oldchild != newchild) {
xmlDtdPtr intSubset = xmlGetIntSubset(nodep->doc);
replacedoctype = (intSubset == (xmlDtd *) oldchild);
if (newchild->doc == NULL && nodep->doc != NULL) {
xmlSetTreeDoc(newchild, nodep->doc);
newchildobj->document = intern->document;
php_libxml_increment_doc_ref((php_libxml_node_object *)newchildobj, NULL);
}
xmlReplaceNode(oldchild, newchild);
dom_reconcile_ns(nodep->doc, newchild);
if (replacedoctype) {
nodep->doc->intSubset = (xmlDtd *) newchild;
}
}
DOM_RET_OBJ(oldchild, &ret, intern);
return;
} else {
>>>>>>> PHP-8.0
php_dom_throw_error(NOT_FOUND_ERR, stricterror);
RETURN_FALSE;
}

20
ext/dom/tests/bug79451.phpt Normal file
View File

@ -0,0 +1,20 @@
--TEST--
Bug #79451 (Using DOMDocument->replaceChild on doctype causes double free)
--SKIPIF--
<?php require_once('skipif.inc'); ?>
--FILE--
<?php
$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html_replace", "", "");
$dom->replaceChild($dt, $dom->doctype);
var_dump($dom->doctype->name);
echo $dom->saveXML();
?>
--EXPECTF--
string(12) "html_replace"
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE html_replace>
<html><body><p>hello</p></body></html>