Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-16777: Calling the constructor again on a DOM object after it is in a document causes UAF Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
2024-11-23 01:44:06 +08:00 · 2024-11-16 13:42:14 +01:00 · 2024-11-16 13:42:14 +01:00 · d3fada3748
commit d3fada3748
parent 1b803bc3f5 18b18f0ee0
5 changed files with 71 additions and 1 deletions
--- a/ext/dom/node.c
+++ b/ext/dom/node.c
@ -906,6 +906,7 @@ static void dom_node_insert_before_legacy(zval *return_value, zval *ref, dom_obj
 	}

 	if (child->doc == NULL && parentp->doc != NULL) {
+		xmlSetTreeDoc(child, parentp->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}

@ -1212,6 +1213,7 @@ static void dom_node_replace_child(INTERNAL_FUNCTION_PARAMETERS, bool modern)
 	}

 	if (newchild->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(newchild, nodep->doc);
 		dom_set_document_ref_pointers(newchild, intern->document);
 	}

@ -1320,6 +1322,7 @@ static void dom_node_append_child_legacy(zval *return_value, dom_object *intern,
 	}

 	if (child->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(child, nodep->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}

--- a/ext/dom/tests/gh16777_1.phpt
+++ b/ext/dom/tests/gh16777_1.phpt
@ -0,0 +1,24 @@
+--TEST--
+GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$text = new DOMText('my value');
+$doc = new DOMDocument();
+$doc->appendChild($text);
+$text->__construct('my new value');
+$doc->appendChild($text);
+echo $doc->saveXML();
+$dom2 = new DOMDocument();
+try {
+    $dom2->appendChild($text);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+<?xml version="1.0"?>
+my value
+my new value
+Wrong Document Error
--- a/ext/dom/tests/gh16777_2.phpt
+++ b/ext/dom/tests/gh16777_2.phpt
@ -0,0 +1,27 @@
+--TEST--
+GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$el = new DOMElement('name');
+$el->append($child = new DOMElement('child'));
+$doc = new DOMDocument();
+$doc->appendChild($el);
+$el->__construct('newname');
+$doc->appendChild($el);
+echo $doc->saveXML();
+$dom2 = new DOMDocument();
+try {
+    $dom2->appendChild($el);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($child->ownerDocument === $doc);
+?>
+--EXPECT--
+<?xml version="1.0"?>
+<name><child/></name>
+<newname/>
+Wrong Document Error
+bool(true)
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@ -2479,7 +2479,11 @@ static zval *php_sxe_iterator_current_data(zend_object_iterator *iter) /* {{{ */
 {
 	php_sxe_iterator *iterator = (php_sxe_iterator *)iter;

-	return &iterator->sxe->iter.data;
+	zval *data = &iterator->sxe->iter.data;
+	if (Z_ISUNDEF_P(data)) {
+		return NULL;
+	}
+	return data;
 }
 /* }}} */

--- a/ext/simplexml/tests/gh16808.phpt
+++ b/ext/simplexml/tests/gh16808.phpt
@ -0,0 +1,12 @@
+--TEST--
+GH-16808 (Segmentation fault in RecursiveIteratorIterator->current() with a xml element input)
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$sxe = new SimpleXMLElement("<root />");
+$test = new RecursiveIteratorIterator($sxe);
+var_dump($test->current());
+?>
+--EXPECT--
+NULL