Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()

author Stanislav Malyshev <stas@php.net>

Tue, 11 Oct 2016 20:30:52 +0000 (13:30 -0700)

committer Anatol Belski <ab@php.net>

Wed, 12 Oct 2016 13:40:21 +0000 (15:40 +0200)
author Stanislav Malyshev <stas@php.net>
Tue, 11 Oct 2016 20:30:52 +0000 (13:30 -0700)
committer Anatol Belski <ab@php.net>
Wed, 12 Oct 2016 13:40:21 +0000 (15:40 +0200)
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c

index a20cb3e22a257fdd169b0402d9aa6be4c6e558df..6a05f04618bb5bc23f199499b63ff6778983acd6 100644 (file)
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -1472,9 +1472,15 @@ SXE_METHOD(asXML)
         if (node) {
                 if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) {
                         xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding);
-                       RETVAL_STRINGL((char *)strval, strval_len);
+                       if (!strval) {
+                               RETVAL_FALSE;
+                       } else {
+                               RETVAL_STRINGL((char *)strval, strval_len);
+                       }
                         xmlFree(strval);
                 } else {
+                       char *return_content;
+                       size_t return_len;
                         /* Should we be passing encoding information instead of NULL? */
                         outbuf = xmlAllocOutputBuffer(NULL);
  
@@ -1485,10 +1491,17 @@ SXE_METHOD(asXML)
                         xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding);
                         xmlOutputBufferFlush(outbuf);
  #ifdef LIBXML2_NEW_BUFFER
-                       RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf));
+                       return_content = (char *)xmlOutputBufferGetContent(outbuf);
+                       return_len = xmlOutputBufferGetSize(outbuf);
  #else
-                       RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use);
+                       return_content = (char *)outbuf->buffer->content;
+                       return_len = outbuf->buffer->use;
  #endif
+                       if (return_content) {
+                               RETVAL_FALSE;
+                       } else {
+                               RETVAL_STRINGL(return_content, return_len);
+                       }
                         xmlOutputBufferClose(outbuf);
                 }
         } else {
author	Stanislav Malyshev <stas@php.net>
	Tue, 11 Oct 2016 20:30:52 +0000 (13:30 -0700)
committer	Anatol Belski <ab@php.net>
	Wed, 12 Oct 2016 13:40:21 +0000 (15:40 +0200)