From: Xinchen Hui <laruence@gmail.com>
Date: Wed, 25 Dec 2019 11:05:44 +0000 (+0100)
Subject: Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter).
X-Git-Tag: php-7.3.14RC1~11
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=27bb3289aceb5225e4dd39f082a48823756a8190;p=php

Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter).

We backport the fix PHP 7.3, since this branch is affected as well.

(cherry picked from commit b5e004379647bd1ebb75eb2eac8826fb6abdd3d8)
(cherry picked from commit e36daa6927c05d2e687bb77495ef206cde118b33)
(cherry picked from commit 2704ee6844c03348de9d15e74646d09007ef0f7c)
---

diff --git a/NEWS b/NEWS
index 5f70bd1ae0..b11b87830a 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,9 @@ PHP                                                                        NEWS
   . Fixed bug #78923 (Artifacts when convoluting image with transparency).
     (wilson chen)
 
+- Libxml:
+  . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence)
+
 - Pcntl:
   . Fixed bug #78402 (Converting null to string in error message is bad DX).
     (SATŌ Kentarō)
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
index b0b94b7c3a..864e5a36fb 100644
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@@ -358,6 +358,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char
 	context = php_stream_context_from_zval(Z_ISUNDEF(LIBXML(stream_context))? NULL : &LIBXML(stream_context), 0);
 
 	ret_val = php_stream_open_wrapper_ex(path_to_open, (char *)mode, REPORT_ERRORS, NULL, context);
+	if (ret_val) {
+		/* Prevent from closing this by fclose() */
+		((php_stream*)ret_val)->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+	}
 	if (isescaped) {
 		xmlFree(resolved_path);
 	}
diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c
index 16545fd653..24bb9dd182 100644
--- a/ext/xmlwriter/php_xmlwriter.c
+++ b/ext/xmlwriter/php_xmlwriter.c
@@ -91,13 +91,15 @@ typedef int (*xmlwriter_read_int_t)(xmlTextWriterPtr writer);
 static void xmlwriter_free_resource_ptr(xmlwriter_object *intern)
 {
 	if (intern) {
-		if (intern->ptr) {
-			xmlFreeTextWriter(intern->ptr);
-			intern->ptr = NULL;
-		}
-		if (intern->output) {
-			xmlBufferFree(intern->output);
-			intern->output = NULL;
+		if (EG(active)) {
+			if (intern->ptr) {
+				xmlFreeTextWriter(intern->ptr);
+				intern->ptr = NULL;
+			}
+			if (intern->output) {
+				xmlBufferFree(intern->output);
+				intern->output = NULL;
+			}
 		}
 		efree(intern);
 	}
diff --git a/ext/xmlwriter/tests/bug79029.phpt b/ext/xmlwriter/tests/bug79029.phpt
new file mode 100644
index 0000000000..2e76a4e409
--- /dev/null
+++ b/ext/xmlwriter/tests/bug79029.phpt
@@ -0,0 +1,34 @@
+--TEST--
+#79029 (Use After Free's in XMLReader / XMLWriter)
+--SKIPIF--
+<?php 
+if (!extension_loaded("xmlwriter")) print "skip xmlwriter extension not available";
+if (!extension_loaded("xmlreader")) print "skip xmlreader extension not available";
+?>
+--FILE--
+<?php
+$x = array( new XMLWriter() );
+$x[0]->openUri("bug79029_1.txt");
+$x[0]->startComment();
+
+$x = new XMLWriter();
+$x->openUri("bug79029_2.txt");
+fclose(@end(get_resources()));
+
+file_put_contents("bug79029_3.txt", "a");
+$x = new XMLReader();
+$x->open("bug79029_3.txt");
+fclose(@end(get_resources()));
+?>
+okey
+--CLEAN--
+<?php
+@unlink("bug79029_1.txt");
+@unlink("bug79029_2.txt");
+@unlink("bug79029_3.txt");
+?>
+--EXPECTF--
+Warning: fclose(): %d is not a valid stream resource in %sbug79029.php on line %d
+
+Warning: fclose(): %d is not a valid stream resource in %sbug79029.php on line %d
+okey