Commit graph

365 commits

Author SHA1 Message Date
Niels Dossche
40e667280b
Fix GH-18597: Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes
xmlSave() also can flush in some cases. When the encoding is not
available this can fail for short inputs, resulting in an empty string
which is interned but then wrongly tagged by RETURN_NEW_STR.
Fix this by checking the error condition and switching to RETURN_STR for
defense-in-depth.

This issue also exists on 8.3, but does not crash; however, due to the
different API usage internally I cannot easily fix it on 8.3. There it
gives a partial output.

Closes GH-18606.
2025-05-20 21:32:17 +02:00
Niels Dossche
7415dc4649
Fix sxe test 2025-04-11 23:56:57 +02:00
Niels Dossche
a019fbd970
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-18309: ipv6 filter integer overflow
  Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
2025-04-11 23:36:12 +02:00
Niels Dossche
ba0853888d
Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
For dynamic fetches the cache_slot will be NULL, so we have to check for
that when resetting the cache. For zip and xmlreader this couldn't
easily be tested because of a lack of writable properties.

Closes GH-18307.
2025-04-11 23:33:58 +02:00
Niels Dossche
09189026e6
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix test GH-16535 for libxml2 2.14
  Fix tests for libxml2 2.14
2025-03-10 20:23:43 +01:00
Niels Dossche
1befdce0e6
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Fix test GH-16535 for libxml2 2.14
  Fix tests for libxml2 2.14
2025-03-10 20:23:36 +01:00
Niels Dossche
239b01db7c
Merge branch 'PHP-8.1' into PHP-8.2
* PHP-8.1:
  Fix tests for libxml2 2.14
2025-03-10 20:22:27 +01:00
Niels Dossche
f209eb448e
Fix tests for libxml2 2.14
See GH-18009.
2025-03-10 20:22:11 +01:00
Niels Dossche
ee4a9a4a7c
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-17736: Assertion failure zend_reference_destroy()
2025-03-02 22:37:07 +01:00
Niels Dossche
ce8ab5f16a
Fix GH-17736: Assertion failure zend_reference_destroy()
The cache slot for FETCH_OBJ_W in function `test` is primed with the
class for C. The next call uses a simplexml instance and reuses the same
cache slot. simplexml's get_property_ptr handler does not use the cache
slot, so the old values remain in the cache slot. When
`zend_handle_fetch_obj_flags` is called this is not guarded by a check
for the class entry. So we end up using the prop_info from the property
C::$a instead of the simplexml property.

This patch adds a reset to the cache slots in the property address fetch
code and also in the extensions with a non-standard reference handler.
This keeps the run time cache consistent and avoids the issue without
complicating the fast paths.

Closes GH-17739.
2025-03-02 22:33:32 +01:00
Niels Dossche
3eb79e146f
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-17409: Assertion failure Zend/zend_hash.c:1730
  NEWS
  Add comment
  Fix GH-16892: ini_parse_quantity() fails to parse inputs starting with 0x0b
  Fix GH-16886: ini_parse_quantity() fails to emit warning for 0x+0
  Merge duplicate code blocks
2025-01-09 19:54:46 +01:00
Niels Dossche
a2a7287b87
Fix GH-17409: Assertion failure Zend/zend_hash.c:1730
The array merging function may still hold the properties array while the
object is already being destroyed. Therefore, we should take into
account the refcount in simplexml's destruction code.
It may be possible to trigger this in other ways too.

Closes GH-17421.
2025-01-09 19:53:54 +01:00
Niels Dossche
9eaee687d3
Revert 746b1cf4 "Access long value directly for call to count() in simplexml"
The count() function has a tentative return type.
Add a comment for the future.
2024-12-29 14:37:25 +01:00
Niels Dossche
aea64c89f2
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-17153: SimpleXML crash when using autovivification on document
2024-12-15 11:32:02 +01:00
Niels Dossche
a57a434f95
Fix GH-17153: SimpleXML crash when using autovivification on document
In the case of a member string, `mynode` may also be a document, which
doesn't have a namespace.

Closes GH-17156.
2024-12-15 11:31:32 +01:00
Niels Dossche
953f4ef2cb
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-17040: SimpleXML's unset can break DOM objects
2024-12-06 20:10:03 +01:00
Niels Dossche
7acc3ac808
Fix GH-17040: SimpleXML's unset can break DOM objects
Don't free the underlying nodes if we still have objects pointing to
them, otherwise the objects are left with a NULL node pointer.

Closes GH-17046.
2024-12-06 20:06:51 +01:00
Niels Dossche
d3fada3748
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-16777: Calling the constructor again on a DOM object after it is in a document causes UAF
  Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
2024-11-16 13:42:14 +01:00
Niels Dossche
2ba18590bf
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
2024-11-16 13:41:29 +01:00
Niels Dossche
fbb0061993
Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
When the current data is invalid, NULL must be returned. At least that's
how the check in SPL works and how other extensions do this as well.
If we don't do this, an UNDEF value gets propagated to a return value
(misprinted as null); leading to issues.

Closes GH-16825.
2024-11-16 13:39:46 +01:00
Niels Dossche
bb46b4b799 Backport 4fe82131: Backport libxml2 2.13.2 fixes (#14816)
Backproted from https://github.com/php/php-src/pull/14789
2024-10-12 15:12:40 +02:00
Niels Dossche
0d9b039568
Merge branch 'PHP-8.3'
* PHP-8.3:
  Fix GH-15837: Segmentation fault in ext/simplexml/simplexml.c
2024-09-11 20:40:01 +02:00
Niels Dossche
bc20b403cf
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Fix GH-15837: Segmentation fault in ext/simplexml/simplexml.c
2024-09-11 20:39:30 +02:00
Niels Dossche
b5834c12d4
Fix GH-15837: Segmentation fault in ext/simplexml/simplexml.c
We should check if the iterator data is still valid, because if it
isn't, then the type info is UNDEF, but the pointer value may be
dangling.

Closes GH-15841.
2024-09-11 20:38:38 +02:00
Gina Peter Bnayard
5853cdb73d Use "must not" instead of "cannot" wording 2024-08-21 21:12:17 +01:00
Niels Dossche
f0441e05b8
Add LIBXML_NO_XXE constant (#14844)
This constant is available as of libxml2 2.13, and is used together with
LIBXML_NOENT to allow entity subsitution but disallow external entities.
2024-07-06 17:43:46 +02:00
Niels Dossche
ecf0bb0fd1
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  [ci skip] NEWS
  Backport libxml2 2.13.2 fixes (#14816)
2024-07-04 15:37:35 +02:00
Niels Dossche
4fe821311c
Backport libxml2 2.13.2 fixes (#14816)
Backproted from https://github.com/php/php-src/pull/14789
2024-07-04 15:29:50 +02:00
Niels Dossche
173a4033a1 Fix tests for libxml2 2.13.2 2024-07-03 10:34:46 -07:00
David Carlier
66a06d6fa5
Merge branch 'PHP-8.3' 2024-07-01 22:38:05 +01:00
David Carlier
20866b37aa
Merge branch 'PHP-8.2' into PHP-8.3 2024-07-01 22:37:54 +01:00
David Carlier
2edf12e87f
Fix GH-14638: null dereference after XML parsing failure.
object document is null if the parsing had failed prior to cast to
string.
2024-07-01 22:36:32 +01:00
Niels Dossche
6e7adb3c48
Update ext/dom names after policy change (#14171) 2024-05-09 10:40:53 +02:00
Niels Dossche
8637a3f5b0 Fix getDocNamespaces() not working when only having xmlns attributes without an internal declaration in the document 2024-05-05 10:14:40 +02:00
Niels Dossche
14b6c981c3
[RFC] Add a way to opt-in ext/dom spec compliance (#13031)
RFC: https://wiki.php.net/rfc/opt_in_dom_spec_compliance
2024-03-09 16:56:00 +01:00
Niels Dossche
035a5fdf8c
Add LIBXML_RECOVER (#13504)
Setting the recovery option by using a hardcoded value (1) worked
already for SimpleXML. For DOM, a small change is necessary because
otherwise the recover field overwrites the recovery option.

From a quick search on GitHub [1] it looks like this won't clash with
existing PHP code as no one seems to define (or use) a constant with
such a name.

[1] https://github.com/search?q=LIBXML_RECOVER+language%3APHP&type=code&l=PHP
2024-02-25 21:03:37 +01:00
Peter Kokot
085da2725f Merge branch 'PHP-8.3'
* PHP-8.3:
  Use EXTENSIONS instead of SKIPIF sections in *.phpt
2024-01-31 11:20:56 +01:00
Peter Kokot
8d5fc8d23f Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Use EXTENSIONS instead of SKIPIF sections in *.phpt
2024-01-31 11:20:44 +01:00
Peter Kokot
218a93b898 Use EXTENSIONS instead of SKIPIF sections in *.phpt
This also fixes skipped tests due to different naming "zend-test"
instead of "zend_test" and "PDO" instead of "pdo":

- ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/zend_test/tests/observer_sqlite_create_function.phpt

EXTENSIONS section is used for the Windows build to load the non-static
extensions.

Closes GH-13276
2024-01-31 11:18:21 +01:00
Niels Dossche
61b7370b6d Merge branch 'PHP-8.3'
* PHP-8.3:
  Fix GH-12929: SimpleXMLElement with stream_wrapper_register can segfault
  Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash
  Fix GH-12962: Double free of init_file in phpdbg_prompt.c
2023-12-17 11:52:48 +01:00
Niels Dossche
f75931ad9e Fix GH-12929: SimpleXMLElement with stream_wrapper_register can segfault
Move SimpleXML invalidation code after node checks

This is safe, i.e. the tree hasn't been modified yet, because either we
didn't call a libxml modification function yet, or xmlNewChild is called
with a NULL pointer, which makes it bail out and return NULL.

Closes GH-12947.
2023-12-17 11:51:42 +01:00
Niels Dossche
4fc336c784 Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash
  Fix GH-12962: Double free of init_file in phpdbg_prompt.c
2023-12-17 11:50:42 +01:00
Niels Dossche
abf4c116b1 Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash
Closes GH-12945.
2023-12-17 11:47:11 +01:00
Niels Dossche
ec2ef6465d Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Apply SimpleXML iterator fixes only on master
2023-09-30 17:55:34 +02:00
Niels Dossche
77f44b2281 Merge branch 'PHP-8.1' into PHP-8.2
* PHP-8.1:
  Apply SimpleXML iterator fixes only on master
2023-09-30 17:53:57 +02:00
Niels Dossche
b842ea4fa8 Apply SimpleXML iterator fixes only on master
Many methods in SimpleXML reset the iterator when called. This has the
consequence that mixing these operations with loops can cause infinite
loops, or the loss of iteration data.
Some people may however rely on the resetting behaviour. To prevent
unintended breaks in stable branches, let's only apply the fix to master.

This reverts GH-12193, GH-12229, GG-12247 for stable branches while
keeping them on master, adding a note in UPGRADING as well.
2023-09-30 17:48:05 +02:00
Niels Dossche
2e8cdd8eec Merge branch 'PHP-8.3'
* PHP-8.3:
  Fix GH-12167 and GH-12169: Unable to get comment or processing instruction contents in SimpleXML
2023-09-25 19:50:58 +02:00
Niels Dossche
190a535325 Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Fix GH-12167 and GH-12169: Unable to get comment or processing instruction contents in SimpleXML
2023-09-25 19:49:36 +02:00
Niels Dossche
9c37a02c54 Merge branch 'PHP-8.1' into PHP-8.2
* PHP-8.1:
  Fix GH-12167 and GH-12169: Unable to get comment or processing instruction contents in SimpleXML
2023-09-25 19:48:49 +02:00
Niels Dossche
82a84d0b7b Fix GH-12167 and GH-12169: Unable to get comment or processing instruction contents in SimpleXML
Closes GH-12289.
2023-09-25 19:47:09 +02:00