Fix GH-17145: DOM memory leak

Because the use of RETURN instead of RETVAL, the freeing code could not be executed. This only is triggerable if the content of the attribute is mixed text and entities, so it wasn't noticed earlier. Closes GH-17147.
2025-08-15 21:48:51 +02:00 · 2024-12-13 18:12:46 +01:00 · 2024-12-13 18:12:46 +01:00 · 4656c22526
commit 4656c22526
parent ccc6c0f78c
3 changed files with 26 additions and 1 deletions
--- a/3
+++ b/3
@ -17,6 +17,9 @@ PHP                                                                        NEWS
 - DBA:
  . Skip test if inifile is disabled. (orlitzky)

+- DOM:
+  . Fixed bug GH-17145 (DOM memory leak). (nielsdos)
+
 - FFI:
  . Fixed bug #79075 (FFI header parser chokes on comments). (nielsdos)

--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@ -2375,7 +2375,7 @@ void php_dom_get_content_into_zval(const xmlNode *nodep, zval *return_value, boo
 		case XML_ATTRIBUTE_NODE: {
 			bool free;
 			xmlChar *value = php_libxml_attr_value((const xmlAttr *) nodep, &free);
-			RETURN_STRING_FAST((const char *) value);
+			RETVAL_STRING_FAST((const char *) value);
 			if (free) {
 				xmlFree(value);
 			}
--- a/ext/dom/tests/gh17145.phpt
+++ b/ext/dom/tests/gh17145.phpt
@ -0,0 +1,22 @@
+--TEST--
+GH-17145 (DOM memory leak)
+--EXTENSIONS--
+dom
+--CREDITS--
+YuanchengJiang
+--SKIPIF--
+<?php
+if (LIBXML_VERSION < 21300) die("skip Upstream libxml bug causes incorrect output, fixed in GNOME/libxml2@b8597f4");
+?>
+--FILE--
+<?php
+$element = new DOMElement("N", "W", "y");
+$attr = new DOMAttr("c" , "n");
+$doc = new DOMDocument();
+$doc->appendChild($element);
+$element->setAttributeNodeNS($attr);
+$attr->appendChild($doc->createEntityReference('amp'));
+echo $attr->value;
+?>
+--EXPECT--
+n&