archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix GH-16595: Another UAF in DOM -> cloneNode
  Fix GH-16593: Assertion failure in DOM->replaceChild
This commit is contained in:
Niels Dossche 2024-10-28 19:42:10 +01:00
commit 6e82ae9990
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
4 changed files with 67 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

25
ext/dom/node.c
View file

@ -895,6 +895,16 @@ static void dom_node_insert_before_legacy(zval *return_value, zval *ref, dom_obj
RETURN_FALSE;
}
xmlNodePtr refp = NULL;
if (ref != NULL) {
dom_object *refpobj;
DOM_GET_OBJ(refp, ref, xmlNodePtr, refpobj);
if (refp->parent != parentp) {
php_dom_throw_error(NOT_FOUND_ERR, stricterror);
RETURN_FALSE;
}
}
if (child->doc == NULL && parentp->doc != NULL) {
dom_set_document_ref_pointers(child, intern->document);
}
@ -902,14 +912,6 @@ static void dom_node_insert_before_legacy(zval *return_value, zval *ref, dom_obj
php_libxml_invalidate_node_list_cache(intern->document);
if (ref != NULL) {
xmlNodePtr refp;
dom_object *refpobj;
DOM_GET_OBJ(refp, ref, xmlNodePtr, refpobj);
if (refp->parent != parentp) {
php_dom_throw_error(NOT_FOUND_ERR, stricterror);
RETURN_FALSE;
}
if (child->parent != NULL) {
xmlUnlinkNode(child);
}
@ -1196,6 +1198,13 @@ static void dom_node_replace_child(INTERNAL_FUNCTION_PARAMETERS, bool modern)
RETURN_FALSE;
}
/* This is already disallowed by libxml, but we should check it here to avoid
* breaking assumptions and assertions. */
if ((oldchild->type == XML_ATTRIBUTE_NODE) != (newchild->type == XML_ATTRIBUTE_NODE)) {
php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
RETURN_FALSE;
}
if (oldchild->parent != nodep) {
php_dom_throw_error(NOT_FOUND_ERR, stricterror);
RETURN_FALSE;