Fix trampoline leak in xpath callables

Closes GH-15009.
2025-08-16 05:58:45 +02:00 · 2024-07-18 15:17:42 +02:00 · 2024-07-18 15:17:42 +02:00 · a59103feed
commit a59103feed
parent 5471f3d922
5 changed files with 54 additions and 4 deletions
--- a/6
+++ b/6
@ -5,6 +5,9 @@ PHP                                                                        NEWS
 - Core:
  . Fix GH-14978 (The xmlreader extension phpize build). (Peter Kokot)

+- DOM:
+  . Fix trampoline leak in xpath callables. (nielsdos)
+
 - OpenSSL:
  . Bumped minimum required OpenSSL version to 1.1.0. (cmb)

@ -16,6 +19,9 @@ PHP                                                                        NEWS
 - Standard:
  . Fix references in request_parse_body() options array. (nielsdos)

+- XSL:
+  . Fix trampoline leak in xpath callables. (nielsdos)
+
 18 Jul 2024, PHP 8.4.0alpha2

 - Core:
--- a/ext/dom/tests/registerPhpFunctionNS_errors.phpt
+++ b/ext/dom/tests/registerPhpFunctionNS_errors.phpt
@ -5,6 +5,11 @@ dom
 --FILE--
 <?php

+class TrampolineClass {
+    public function __call($name, $args) {
+    }
+}
+
 $doc = new DOMDocument();
 $doc->loadHTML('<a href="https://PHP.net">hello</a>');

@ -16,6 +21,18 @@ try {
    echo $e->getMessage(), "\n";
 }

+try {
+    $xpath->registerPhpFunctionNS('http://php.net/xpath', 'test', [new TrampolineClass, 'test']);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    $xpath->registerPhpFunctionNS('urn:foo', '$$$', [new TrampolineClass, 'test']);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
 try {
    $xpath->registerPhpFunctionNS('urn:foo', 'x:a', strtolower(...));
 } catch (ValueError $e) {
@ -37,6 +54,8 @@ try {
 ?>
 --EXPECT--
 DOMXPath::registerPhpFunctionNS(): Argument #1 ($namespaceURI) must not be "http://php.net/xpath" because it is reserved by PHP
+DOMXPath::registerPhpFunctionNS(): Argument #1 ($namespaceURI) must not be "http://php.net/xpath" because it is reserved by PHP
+DOMXPath::registerPhpFunctionNS(): Argument #2 ($name) must be a valid callback name
 DOMXPath::registerPhpFunctionNS(): Argument #2 ($name) must be a valid callback name
 DOMXPath::registerPhpFunctionNS(): Argument #2 ($name) must not contain any null bytes
 DOMXPath::registerPhpFunctionNS(): Argument #1 ($namespaceURI) must not contain any null bytes
--- a/ext/dom/xpath.c
+++ b/ext/dom/xpath.c
@ -462,11 +462,12 @@ PHP_METHOD(DOMXPath, registerPhpFunctionNS)
 	ZEND_PARSE_PARAMETERS_END();

 	if (zend_string_equals_literal(namespace, "http://php.net/xpath")) {
+		zend_release_fcall_info_cache(&fcc);
 		zend_argument_value_error(1, "must not be \"http://php.net/xpath\" because it is reserved by PHP");
 		RETURN_THROWS();
 	}

-	php_dom_xpath_callbacks_update_single_method_handler(
+	if (php_dom_xpath_callbacks_update_single_method_handler(
 		&intern->xpath_callbacks,
 		intern->dom.ptr,
 		namespace,
@ -474,7 +475,9 @@ PHP_METHOD(DOMXPath, registerPhpFunctionNS)
 		&fcc,
 		PHP_DOM_XPATH_CALLBACK_NAME_VALIDATE_NCNAME,
 		dom_xpath_register_func_in_ctx
-	);
+	) != SUCCESS) {
+		zend_release_fcall_info_cache(&fcc);
+	}
 }

 /* {{{ */
--- a/ext/xsl/tests/registerPHPFunctionNS_errors.phpt
+++ b/ext/xsl/tests/registerPHPFunctionNS_errors.phpt
@ -5,6 +5,11 @@ xsl
 --FILE--
 <?php

+class TrampolineClass {
+    public function __call($name, $args) {
+    }
+}
+
 require __DIR__ . '/xpath_callables.inc';

 try {
@ -13,6 +18,18 @@ try {
    echo $e->getMessage(), "\n";
 }

+try {
+    createProcessor([])->registerPhpFunctionNS('http://php.net/xsl', 'test', [new TrampolineClass, 'test']);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    createProcessor([])->registerPhpFunctionNS('urn:foo', '$$$', [new TrampolineClass, 'test']);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
 try {
    createProcessor([])->registerPhpFunctionNS('urn:foo', 'x:a', strtolower(...));
 } catch (ValueError $e) {
@ -34,6 +51,8 @@ try {
 ?>
 --EXPECT--
 XSLTProcessor::registerPHPFunctionNS(): Argument #1 ($namespaceURI) must not be "http://php.net/xsl" because it is reserved by PHP
+XSLTProcessor::registerPHPFunctionNS(): Argument #1 ($namespaceURI) must not be "http://php.net/xsl" because it is reserved by PHP
+XSLTProcessor::registerPHPFunctionNS(): Argument #2 ($name) must be a valid callback name
 XSLTProcessor::registerPHPFunctionNS(): Argument #2 ($name) must be a valid callback name
 XSLTProcessor::registerPHPFunctionNS(): Argument #2 ($name) must not contain any null bytes
 XSLTProcessor::registerPHPFunctionNS(): Argument #1 ($namespaceURI) must not contain any null bytes
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@ -707,11 +707,12 @@ PHP_METHOD(XSLTProcessor, registerPHPFunctionNS)
 	ZEND_PARSE_PARAMETERS_END();

 	if (zend_string_equals_literal(namespace, "http://php.net/xsl")) {
+		zend_release_fcall_info_cache(&fcc);
 		zend_argument_value_error(1, "must not be \"http://php.net/xsl\" because it is reserved by PHP");
 		RETURN_THROWS();
 	}

-	php_dom_xpath_callbacks_update_single_method_handler(
+	if (php_dom_xpath_callbacks_update_single_method_handler(
 		&intern->xpath_callbacks,
 		NULL,
 		namespace,
@ -719,7 +720,9 @@ PHP_METHOD(XSLTProcessor, registerPHPFunctionNS)
 		&fcc,
 		PHP_DOM_XPATH_CALLBACK_NAME_VALIDATE_NCNAME,
 		NULL
-	);
+	) != SUCCESS) {
+		zend_release_fcall_info_cache(&fcc);
+	}
 }

 /* {{{ */