archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.4'

Browse source 
* PHP-8.4:
  Fix GH-18979: DOM\XMLDocument::createComment() triggers undefined behavior with null byte
This commit is contained in:
Niels Dossche 2025-07-01 18:51:31 +02:00
commit 30662e4e2b
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
2 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
ext/dom/tests/modern/xml/gh18979.phpt Normal file
View file

@ -0,0 +1,13 @@
--TEST--
GH-18979 (DOM\XMLDocument::createComment() triggers undefined behavior with null byte)
--EXTENSIONS--
dom
--FILE--
<?php
$dom = Dom\XMLDocument::createEmpty();
$container = $dom->createElement("container");
$container->append($dom->createComment("\0"));
var_dump($container->innerHTML);
?>
--EXPECT--
string(7) "<!---->"

6
ext/dom/xml_serializer.c
View file

@ -640,7 +640,11 @@ static int dom_xml_serialize_comment_node(xmlOutputBufferPtr out, xmlNodePtr com
const xmlChar *ptr = comment->content;
if (ptr != NULL) {
TRY(dom_xml_check_char_production(ptr));
if (strstr((const char *) ptr, "--") != NULL || ptr[strlen((const char *) ptr) - 1] == '-') {
if (strstr((const char *) ptr, "--") != NULL) {
return -1;
}
size_t len = strlen((const char *) ptr);
if (len > 0 && ptr[len - 1] == '-') {
return -1;
}
}