Fix GH-18979: DOM\XMLDocument::createComment() triggers undefined behavior with null byte

Closes GH-18983.
2025-08-15 13:38:49 +02:00 · 2025-06-30 18:48:27 +02:00 · 2025-06-30 18:48:27 +02:00 · 1d5089e574
commit 1d5089e574
parent 7f5d491a05
3 changed files with 22 additions and 1 deletions
--- a/4
+++ b/4
@ -14,6 +14,10 @@ PHP                                                                        NEWS
  . Fix memory leaks when returning refcounted value from curl callback.
    (nielsdos)

+- DOM:
+  . Fixed bug GH-18979 (Dom\XMLDocument::createComment() triggers undefined
+    behavior with null byte). (nielsdos)
+
 - LDAP:
  . Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty
    request OID. (David Carlier)
--- a/ext/dom/tests/modern/xml/gh18979.phpt
+++ b/ext/dom/tests/modern/xml/gh18979.phpt
@ -0,0 +1,13 @@
+--TEST--
+GH-18979 (DOM\XMLDocument::createComment() triggers undefined behavior with null byte)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$dom = Dom\XMLDocument::createEmpty();
+$container = $dom->createElement("container");
+$container->append($dom->createComment("\0"));
+var_dump($container->innerHTML);
+?>
+--EXPECT--
+string(7) "<!---->"
--- a/ext/dom/xml_serializer.c
+++ b/ext/dom/xml_serializer.c
@ -640,7 +640,11 @@ static int dom_xml_serialize_comment_node(xmlOutputBufferPtr out, xmlNodePtr com
 		const xmlChar *ptr = comment->content;
 		if (ptr != NULL) {
 			TRY(dom_xml_check_char_production(ptr));
-			if (strstr((const char *) ptr, "--") != NULL || ptr[strlen((const char *) ptr) - 1] == '-') {
+			if (strstr((const char *) ptr, "--") != NULL) {
+				return -1;
+			}
+			size_t len = strlen((const char *) ptr);
+			if (len > 0 && ptr[len - 1] == '-') {
 				return -1;
 			}
 		}