]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 95d2908)
Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces)
authorXinchen Hui <laruence@gmail.com>
Fri, 21 Jul 2017 10:16:11 +0000 (18:16 +0800)
committerXinchen Hui <laruence@gmail.com>
Fri, 21 Jul 2017 10:16:11 +0000 (18:16 +0800)
NEWS patch | blob | history
ext/simplexml/simplexml.c patch | blob | history
ext/simplexml/tests/bug74950.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index bc67ec933eb4511cd2baea36c2f1c8511c381285..f174c5cfa283cae3dc951243d4603e99cd04d9ca 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #74947 (Segfault in scanner on INF number). (Laruence)
 
+- SimpleXML:
+  . Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces).
+    (Laruence)
+
 - SPL:
   . Fixed bug #74669 (Unserialize ArrayIterator broken). (Andrew Nester)
 
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index b8b5c37931a53e50a937c0aef2a26d351e173215..0637e06af859ca1d0dea9c2f1530e51b98f1970e 100644 (file)
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -2321,16 +2321,16 @@ SXE_METHOD(__construct)
        }
 
        if (ZEND_SIZE_T_INT_OVFL(data_len)) {
-               php_error_docref(NULL, E_WARNING, "Data is too long");
-               RETURN_FALSE;
+               zend_throw_exception(zend_ce_exception, "Data is too long", 0);
+               return;
        }
        if (ZEND_SIZE_T_INT_OVFL(ns_len)) {
-               php_error_docref(NULL, E_WARNING, "Namespace is too long");
-               RETURN_FALSE;
+               zend_throw_exception(zend_ce_exception, "Namespace is too long", 0);
+               return;
        }
        if (ZEND_LONG_EXCEEDS_INT(options)) {
-               php_error_docref(NULL, E_WARNING, "Invalid options");
-               RETURN_FALSE;
+               zend_throw_exception(zend_ce_exception, "Invalid options", 0);
+               return;
        }
 
        docp = is_url ? xmlReadFile(data, NULL, (int)options) : xmlReadMemory(data, (int)data_len, NULL, NULL, (int)options);
diff --git a/ext/simplexml/tests/bug74950.phpt b/ext/simplexml/tests/bug74950.phpt
new file mode 100644 (file)
index 0000000..f267a07
--- /dev/null
+++ b/ext/simplexml/tests/bug74950.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #74950 (null pointer deref in zim_simplexml_element_getDocNamespaces)
+--SKIPIF--
+<?php
+if (!extension_loaded("simplexml")) die("skip SimpleXML not available");
+?>
+--FILE--
+<?php
+$xml=new SimpleXMLElement(0,9000000000);var_dump($xml->getDocNamespaces())?>
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Invalid options in %sbug74950.php:%d
+Stack trace:
+#0 %sbug74950.php(%d): SimpleXMLElement->__construct('0', 9000000000)
+#1 {main}
+  thrown in %sbug74950.php on line %d
Unnamed repository; edit this file 'description' to name the repository.