archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.4'

Browse source 
* PHP-8.4:
  Fix GH-18597: Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes
This commit is contained in:
Niels Dossche 2025-05-20 21:32:27 +02:00
commit efaae93e48
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
5 changed files with 23 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ext/dom/inner_outer_html_mixin.c
View file

@ -95,7 +95,7 @@ static zend_string *dom_element_html_fragment_serialize(dom_object *obj, xmlNode
status |= xmlOutputBufferFlush(out); status |= xmlOutputBufferFlush(out);
status |= xmlOutputBufferClose(out); status |= xmlOutputBufferClose(out);
} }
(void) xmlSaveClose(ctxt); status |= xmlSaveClose(ctxt);
xmlCharEncCloseFunc(handler); xmlCharEncCloseFunc(handler);
} }
if (UNEXPECTED(status < 0)) { if (UNEXPECTED(status < 0)) {

4
ext/dom/xml_document.c
View file

@ -282,7 +282,7 @@ static zend_string *php_new_dom_dump_node_to_str_ex(xmlNodePtr node, int options
} else { } else {
xmlCharEncCloseFunc(handler); xmlCharEncCloseFunc(handler);
} }
(void) xmlSaveClose(ctxt); status |= xmlSaveClose(ctxt);
} }
if (UNEXPECTED(status < 0)) { if (UNEXPECTED(status < 0)) {
@ -319,7 +319,7 @@ zend_long php_new_dom_dump_node_to_file(const char *filename, xmlDocPtr doc, xml
if (EXPECTED(ctxt != NULL)) { if (EXPECTED(ctxt != NULL)) {
status = dom_xml_serialize(ctxt, out, node, format, false, get_private_data_from_node(node)); status = dom_xml_serialize(ctxt, out, node, format, false, get_private_data_from_node(node));
status |= xmlOutputBufferFlush(out); status |= xmlOutputBufferFlush(out);
(void) xmlSaveClose(ctxt); status |= xmlSaveClose(ctxt);
} }
size_t offset = php_stream_tell(stream); size_t offset = php_stream_tell(stream);

2
ext/libxml/libxml.c
View file

@ -1505,7 +1505,7 @@ static zend_string *php_libxml_default_dump_doc_to_str(xmlDocPtr doc, int option
} }
long status = xmlSaveDoc(ctxt, doc); long status = xmlSaveDoc(ctxt, doc);
(void) xmlSaveClose(ctxt); status |= xmlSaveClose(ctxt);
if (status < 0) { if (status < 0) {
smart_str_free_ex(&str, false); smart_str_free_ex(&str, false);
return NULL; return NULL;

3
ext/simplexml/simplexml.c
View file

@ -1403,7 +1403,8 @@ PHP_METHOD(SimpleXMLElement, asXML)
if (!result) { if (!result) {
RETURN_FALSE; RETURN_FALSE;
} else { } else {
RETURN_NEW_STR(result); /* Defense-in-depth: don't use the NEW variant in case somehow an empty string gets returned */
RETURN_STR(result);
} }
} }
/* }}} */ /* }}} */

17
ext/simplexml/tests/gh18597.phpt Normal file
View file

@ -0,0 +1,17 @@
--TEST--
GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes)
--EXTENSIONS--
simplexml
--FILE--
<?php
$sx1 = new SimpleXMLElement("<root />");
$sx1->node[0] = 'node1';
$node = $sx1->node[0];
$node[0] = '<27><>c';
$sx1->asXML(); // Depends on the available system encodings whether this fails or not, point is, it should not crash
echo "Done\n";
?>
--EXPECT--
Done