From: Felipe Pena <felipe@php.net>
Date: Tue, 20 Apr 2010 16:24:21 +0000 (+0000)
Subject: - Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML)
X-Git-Tag: php-5.2.14RC1~58
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=247c85bbb6727d764bf002d22e3e387200494dfe;p=php

- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML)
---

diff --git a/NEWS b/NEWS
index 1c65adef21..fb21796df7 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 
+- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML). (Felipe)
 - Fixed bug #51609 (pg_copy_to: Invalid results when using fourth parameter).
   (Felipe)
 - Fixed bug #51608 (pg_copy_to: WARNING: nonstandard use of \\ in a string
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index 7a0a777da4..d4a17cf6b7 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -969,9 +969,14 @@ static void sxe_dimension_delete(zval *object, zval *offset TSRMLS_DC)
 static inline char * sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr list, int inLine)
 {
 	xmlChar *tmp = xmlNodeListGetString(doc, list, inLine);
-	char    *res = estrdup((char*)tmp);
-
-	xmlFree(tmp);
+	char    *res;
+	
+	if (tmp) {
+		res = estrdup((char*)tmp);
+		xmlFree(tmp);
+	} else {
+		res = STR_EMPTY_ALLOC();
+	}
 	
 	return res;
 }
diff --git a/ext/simplexml/tests/bug51615.phpt b/ext/simplexml/tests/bug51615.phpt
new file mode 100644
index 0000000000..c5572f542a
--- /dev/null
+++ b/ext/simplexml/tests/bug51615.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #51615 (PHP crash with wrong HTML in SimpleXML)
+--SKIPIF--
+<?php if (!extension_loaded("simplexml")) print "skip"; ?>
+--FILE--
+<?php
+
+$dom = new DOMDocument;
+$dom->loadHTML('<span title=""y">x</span><span title=""z">x</span>');
+$html = simplexml_import_dom($dom);
+
+foreach ($html->body->span as $obj) {
+	var_dump((string)$obj->title);
+}
+
+?>
+--EXPECTF--
+Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d
+
+Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d
+string(0) ""
+string(0) ""