archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix validation logic of php:function() callbacks in dom and xsl

Browse source 
Two issues:
- Assumed that at least 1 argument (function name) was provided.
- Incorrect error path for the non-callable case.

Closes GH-12593.
This commit is contained in:
Niels Dossche 2023-11-02 01:35:21 +01:00
parent 77a497d56a
commit 20c9c4a367
5 changed files with 90 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

9
ext/xsl/xsltprocessor.c
View file

@ -141,12 +141,17 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
return;
}
if (UNEXPECTED(nargs == 0)) {
zend_throw_error(NULL, "Function name must be passed as the first argument");
return;
}
fci.param_count = nargs - 1;
if (fci.param_count > 0) {
args = safe_emalloc(fci.param_count, sizeof(zval), 0);
}
/* Reverse order to pop values off ctxt stack */
for (i = nargs - 2; i >= 0; i--) {
for (i = fci.param_count - 1; i >= 0; i--) {
obj = valuePop(ctxt);
if (obj == NULL) {
ZVAL_NULL(&args[i]);
@ -221,7 +226,7 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
fci.params = NULL;
}
/* Last element of the stack is the function name */
obj = valuePop(ctxt);
if (obj == NULL || obj->stringval == NULL) {
php_error_docref(NULL, E_WARNING, "Handler name must be a string");