- Fixed phpinfo() cutoff of variables at \0. (Ilia)
- Fixed a bug in the filter extension that prevented magic_quotes_gpc from
being applied when RAW filter is used. (Ilia)
+- Fixed bug #38347 (Segmentation fault when using foreach with an unknown/empty
+ SimpleXMLElement). (Tony)
- Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
execution). (Tony)
- Fixed bug #38303 (spl_autoload_register() supress all errors silently).
efree(object->document->doc_props);
}
efree(object->document);
+ object->document = NULL;
}
- object->document = NULL;
}
return ret_refcount;
obj_node->_private = NULL;
}
}
+ }
+ if (object != NULL && object->document != NULL) {
/* Safe to call as if the resource were freed then doc pointer is NULL */
php_libxml_decrement_doc_ref(object TSRMLS_CC);
}
if (sxe->iter.type == SXE_ITER_ELEMENT) {
orgnode = sxe_find_element_by_name(sxe, node, sxe->iter.name TSRMLS_CC);
+ if (!orgnode) {
+ return NULL;
+ }
node = orgnode->children;
}
--- /dev/null
+--TEST--
+Bug #38347 (Segmentation fault when using foreach with an unknown/empty SimpleXMLElement)
+--SKIPIF--
+<?php if (!extension_loaded("simplexml")) print "skip"; ?>
+--FILE--
+<?php
+
+function iterate($xml)
+{
+ print_r($xml);
+ foreach ($xml->item as $item) {
+ echo "This code will crash!";
+ }
+}
+
+$xmlstr = "<xml><item>Item 1</item><item>Item 2</item></xml>";
+$xml = simplexml_load_string($xmlstr);
+iterate($xml->unknown);
+
+echo "Done\n";
+?>
+--EXPECTF--
+SimpleXMLElement Object
+(
+)
+
+Warning: iterate(): Node no longer exists in %s on line %d
+Done
projects / php / commitdiff