- Fixed bug #48221 (memory leak when passing invalid xslt parameter)

diff --git a/ext/xsl/tests/bug48221.phpt b/ext/xsl/tests/bug48221.phpt
new file mode 100644 (file)
index 0000000..609112d
--- /dev/null
+++ b/ext/xsl/tests/bug48221.phpt
@@ -0,0 +1,85 @@
+--TEST--
+Bug #48221 (memory leak when passing invalid xslt parameter)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+
+$xsl = new DOMDocument;
+$xsl->loadXML('<html xsl:version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+      lang="en">
+    <head>
+        <title>Sales Results By Division</title>
+    </head>
+    <body>
+        <table border="1">
+            <tr>
+                <th>Division</th>
+                <th>Revenue</th>
+                <th>Growth</th>
+                <th>Bonus</th>
+            </tr>
+            <xsl:for-each select="sales/division">
+                <!-- order the result by revenue -->
+                <xsl:sort select="revenue"
+                          data-type="number"
+                          order="descending"/>
+                <tr>
+                    <td>
+                        <em><xsl:value-of select="@id"/></em>
+                    </td>
+                    <td>
+                        <xsl:value-of select="revenue"/>
+                    </td>
+                    <td>
+                        <!-- highlight negative growth in red -->
+                        <xsl:if test="growth &lt; 0">
+                             <xsl:attribute name="style">
+                                 <xsl:text>color:red</xsl:text>
+                             </xsl:attribute>
+                        </xsl:if>
+                        <xsl:value-of select="growth"/>
+                    </td>
+                    <td>
+                        <xsl:value-of select="bonus"/>
+                    </td>
+                </tr>
+            </xsl:for-each>
+        </table>
+    </body>
+</html>');
+
+$dom = new DOMDocument;
+$dom->loadXMl('<sales>
+
+        <division id="North">
+                <revenue>10</revenue>
+                <growth>9</growth>
+                <bonus>7</bonus>
+        </division>
+
+        <division id="South">
+                <revenue>4</revenue>
+                <growth>3</growth>
+                <bonus>4</bonus>
+        </division>
+
+        <division id="West">
+                <revenue>6</revenue>
+                <growth>-1.5</growth>
+                <bonus>2</bonus>
+        </division>
+
+</sales>');
+
+$proc = new xsltprocessor;
+$proc->importStylesheet($xsl);
+$proc->setParameter('', '', '"\'');
+$proc->transformToXml($dom);
+
+?>
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): Cannot create XPath expression (string contains both quote and double-quotes) in %s on line %d

diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index d1acdcdd538f2c15f49a5f2bfca74c145610579c..10e261834e41100ce3795b14da8d589ad65ab35b 100644 (file)
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -154,11 +154,13 @@ static char **php_xsl_xslt_make_params(HashTable *parht, int xpath_params TSRMLS
                        if (!xpath_params) {
                                xpath_expr = php_xsl_xslt_string_to_xpathexpr(Z_STRVAL_PP(value) TSRMLS_CC);
                        } else {
-                               xpath_expr = estrndup(Z_STRVAL_PP(value), strlen(Z_STRVAL_PP(value)));
+                               xpath_expr = estrndup(Z_STRVAL_PP(value), Z_STRLEN_PP(value));
                        }
                        if (xpath_expr) {
                                params[i++] = string_key.s;
                                params[i++] = xpath_expr;
+                       } else {
+                               efree(string_key.s);
                        }
                }
        }