mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 09:54:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.3' into PHP-8.4

Browse Source 
* PHP-8.3:
  Fix GH-16777: Calling the constructor again on a DOM object after it is in a document causes UAF
  Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
This commit is contained in:
Niels Dossche 2024-11-16 13:42:14 +01:00
commit d3fada3748
No known key found for this signature in database
GPG Key ID: B8A8AD166DF0E2E5
5 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ext/dom/node.c
View File

@ -906,6 +906,7 @@ static void dom_node_insert_before_legacy(zval *return_value, zval *ref, dom_obj
} }
if (child->doc == NULL && parentp->doc != NULL) { if (child->doc == NULL && parentp->doc != NULL) {
xmlSetTreeDoc(child, parentp->doc);
dom_set_document_ref_pointers(child, intern->document); dom_set_document_ref_pointers(child, intern->document);
} }
@ -1212,6 +1213,7 @@ static void dom_node_replace_child(INTERNAL_FUNCTION_PARAMETERS, bool modern)
} }
if (newchild->doc == NULL && nodep->doc != NULL) { if (newchild->doc == NULL && nodep->doc != NULL) {
xmlSetTreeDoc(newchild, nodep->doc);
dom_set_document_ref_pointers(newchild, intern->document); dom_set_document_ref_pointers(newchild, intern->document);
} }
@ -1320,6 +1322,7 @@ static void dom_node_append_child_legacy(zval *return_value, dom_object *intern,
} }
if (child->doc == NULL && nodep->doc != NULL) { if (child->doc == NULL && nodep->doc != NULL) {
xmlSetTreeDoc(child, nodep->doc);
dom_set_document_ref_pointers(child, intern->document); dom_set_document_ref_pointers(child, intern->document);
} }

24
ext/dom/tests/gh16777_1.phpt Normal file
View File

@ -0,0 +1,24 @@
--TEST--
GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
--EXTENSIONS--
dom
--FILE--
<?php
$text = new DOMText('my value');
$doc = new DOMDocument();
$doc->appendChild($text);
$text->__construct('my new value');
$doc->appendChild($text);
echo $doc->saveXML();
$dom2 = new DOMDocument();
try {
$dom2->appendChild($text);
} catch (DOMException $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
<?xml version="1.0"?>
my value
my new value
Wrong Document Error

27
ext/dom/tests/gh16777_2.phpt Normal file
View File

@ -0,0 +1,27 @@
--TEST--
GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
--EXTENSIONS--
dom
--FILE--
<?php
$el = new DOMElement('name');
$el->append($child = new DOMElement('child'));
$doc = new DOMDocument();
$doc->appendChild($el);
$el->__construct('newname');
$doc->appendChild($el);
echo $doc->saveXML();
$dom2 = new DOMDocument();
try {
$dom2->appendChild($el);
} catch (DOMException $e) {
echo $e->getMessage(), "\n";
}
var_dump($child->ownerDocument === $doc);
?>
--EXPECT--
<?xml version="1.0"?>
<name><child/></name>
<newname/>
Wrong Document Error
bool(true)

6
ext/simplexml/simplexml.c
View File

@ -2479,7 +2479,11 @@ static zval *php_sxe_iterator_current_data(zend_object_iterator *iter) /* {{{ */
{ {
php_sxe_iterator *iterator = (php_sxe_iterator *)iter; php_sxe_iterator *iterator = (php_sxe_iterator *)iter;
return &iterator->sxe->iter.data; zval *data = &iterator->sxe->iter.data;
if (Z_ISUNDEF_P(data)) {
return NULL;
}
return data;
} }
/* }}} */ /* }}} */

12
ext/simplexml/tests/gh16808.phpt Normal file
View File

@ -0,0 +1,12 @@
--TEST--
GH-16808 (Segmentation fault in RecursiveIteratorIterator->current() with a xml element input)
--EXTENSIONS--
simplexml
--FILE--
<?php
$sxe = new SimpleXMLElement("<root />");
$test = new RecursiveIteratorIterator($sxe);
var_dump($test->current());
?>
--EXPECT--
NULL