archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix GH-16595: Another UAF in DOM -> cloneNode
  Fix GH-16593: Assertion failure in DOM->replaceChild
This commit is contained in:
Niels Dossche 2024-10-28 19:42:10 +01:00
commit 6e82ae9990
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
4 changed files with 67 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -10,6 +10,8 @@ PHP NEWS
- DOM: - DOM:
. Fixed bug GH-16594 (Assertion failure in DOM -> before). (nielsdos) . Fixed bug GH-16594 (Assertion failure in DOM -> before). (nielsdos)
. Fixed bug GH-16593 (Assertion failure in DOM->replaceChild). (nielsdos)
. Fixed bug GH-16595 (Another UAF in DOM -> cloneNode). (nielsdos)
- GD: - GD:
. Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007). . Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007).

25
ext/dom/node.c
View file

@ -895,6 +895,16 @@ static void dom_node_insert_before_legacy(zval *return_value, zval *ref, dom_obj
RETURN_FALSE; RETURN_FALSE;
} }
xmlNodePtr refp = NULL;
if (ref != NULL) {
dom_object *refpobj;
DOM_GET_OBJ(refp, ref, xmlNodePtr, refpobj);
if (refp->parent != parentp) {
php_dom_throw_error(NOT_FOUND_ERR, stricterror);
RETURN_FALSE;
}
}
if (child->doc == NULL && parentp->doc != NULL) { if (child->doc == NULL && parentp->doc != NULL) {
dom_set_document_ref_pointers(child, intern->document); dom_set_document_ref_pointers(child, intern->document);
} }
@ -902,14 +912,6 @@ static void dom_node_insert_before_legacy(zval *return_value, zval *ref, dom_obj
php_libxml_invalidate_node_list_cache(intern->document); php_libxml_invalidate_node_list_cache(intern->document);
if (ref != NULL) { if (ref != NULL) {
xmlNodePtr refp;
dom_object *refpobj;
DOM_GET_OBJ(refp, ref, xmlNodePtr, refpobj);
if (refp->parent != parentp) {
php_dom_throw_error(NOT_FOUND_ERR, stricterror);
RETURN_FALSE;
}
if (child->parent != NULL) { if (child->parent != NULL) {
xmlUnlinkNode(child); xmlUnlinkNode(child);
} }
@ -1196,6 +1198,13 @@ static void dom_node_replace_child(INTERNAL_FUNCTION_PARAMETERS, bool modern)
RETURN_FALSE; RETURN_FALSE;
} }
/* This is already disallowed by libxml, but we should check it here to avoid
* breaking assumptions and assertions. */
if ((oldchild->type == XML_ATTRIBUTE_NODE) != (newchild->type == XML_ATTRIBUTE_NODE)) {
php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
RETURN_FALSE;
}
if (oldchild->parent != nodep) { if (oldchild->parent != nodep) {
php_dom_throw_error(NOT_FOUND_ERR, stricterror); php_dom_throw_error(NOT_FOUND_ERR, stricterror);
RETURN_FALSE; RETURN_FALSE;

22
ext/dom/tests/gh16593.phpt Normal file
View file

@ -0,0 +1,22 @@
--TEST--
GH-16593 (Assertion failure in DOM->replaceChild)
--EXTENSIONS--
dom
--FILE--
<?php
$doc = new DOMDocument;
$root = $doc->appendChild($doc->createElement('root'));
$child = $root->appendChild($doc->createElement('child'));
try {
$root->replaceChild($doc->createAttribute('foo'), $child);
} catch (DOMException $e) {
echo $e->getMessage(), "\n";
}
echo $doc->saveXML();
?>
--EXPECT--
Hierarchy Request Error
<?xml version="1.0"?>
<root><child/></root>

26
ext/dom/tests/gh16595.phpt Normal file
View file

@ -0,0 +1,26 @@
--TEST--
GH-16595 (Another UAF in DOM -> cloneNode)
--EXTENSIONS--
dom
--CREDITS--
chibinz
--FILE--
<?php
$v0 = new DOMElement ( "jg" );
$v1 = new DOMDocument ( "Zb" );
$v2 = new DOMElement ( "IU" );
$v7 = new DOMElement ( "L" , null , "df" );
$v9 = new DOMDocument ( );
try { $v1 -> insertBefore ( $v0 , $v9 ); } catch (\Throwable) { }
$v0 -> replaceChildren ( $v7 );
$v7 -> before ( $v2 );
$v1 -> insertBefore ( $v0 );
$v2 -> cloneNode ( );
echo $v1->saveXML();
echo $v9->saveXML();
?>
--EXPECT--
<?xml version="Zb"?>
<jg xmlns:default="df"><IU/><default:L xmlns="df"/></jg>
<?xml version="1.0"?>