From: Felipe Pena <felipe@php.net>
Date: Sun, 10 May 2009 15:15:47 +0000 (+0000)
Subject: - MFH: Fixed bug #48221 (memory leak when passing invalid xslt parameter)
X-Git-Tag: php-5.2.10RC1~109
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6fbed2a9f3a320a52a0f59c4c843f7cbc487a54b;p=php

- MFH: Fixed bug #48221 (memory leak when passing invalid xslt parameter)
---

diff --git a/NEWS b/NEWS
index feb1026169..18140edfb2 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
 - Fixed segfault on invalid session.save_path. (Hannes)
 - Fixed leaks in imap when a mail_criteria is used. (Pierre)
 
+- Fixed bug #48221 (memory leak when passing invalid xslt parameter). (Felipe)
 - Fixed bug #48206 (Iterating over an invalid data structure
   with RecursiveIteratorIterator leads to a segfault). (Scott)
 - Fixed bug #48156 (Added support for lcov v1.7). (Ilia)
diff --git a/ext/xsl/tests/bug48221.phpt b/ext/xsl/tests/bug48221.phpt
new file mode 100644
index 0000000000..609112db3d
--- /dev/null
+++ b/ext/xsl/tests/bug48221.phpt
@@ -0,0 +1,85 @@
+--TEST--
+Bug #48221 (memory leak when passing invalid xslt parameter)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+
+$xsl = new DOMDocument;
+$xsl->loadXML('<html xsl:version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+      lang="en">
+    <head>
+        <title>Sales Results By Division</title>
+    </head>
+    <body>
+        <table border="1">
+            <tr>
+                <th>Division</th>
+                <th>Revenue</th>
+                <th>Growth</th>
+                <th>Bonus</th>
+            </tr>
+            <xsl:for-each select="sales/division">
+                <!-- order the result by revenue -->
+                <xsl:sort select="revenue"
+                          data-type="number"
+                          order="descending"/>
+                <tr>
+                    <td>
+                        <em><xsl:value-of select="@id"/></em>
+                    </td>
+                    <td>
+                        <xsl:value-of select="revenue"/>
+                    </td>
+                    <td>
+                        <!-- highlight negative growth in red -->
+                        <xsl:if test="growth &lt; 0">
+                             <xsl:attribute name="style">
+                                 <xsl:text>color:red</xsl:text>
+                             </xsl:attribute>
+                        </xsl:if>
+                        <xsl:value-of select="growth"/>
+                    </td>
+                    <td>
+                        <xsl:value-of select="bonus"/>
+                    </td>
+                </tr>
+            </xsl:for-each>
+        </table>
+    </body>
+</html>');
+
+$dom = new DOMDocument;
+$dom->loadXMl('<sales>
+
+        <division id="North">
+                <revenue>10</revenue>
+                <growth>9</growth>
+                <bonus>7</bonus>
+        </division>
+
+        <division id="South">
+                <revenue>4</revenue>
+                <growth>3</growth>
+                <bonus>4</bonus>
+        </division>
+
+        <division id="West">
+                <revenue>6</revenue>
+                <growth>-1.5</growth>
+                <bonus>2</bonus>
+        </division>
+
+</sales>');
+
+$proc = new xsltprocessor;
+$proc->importStylesheet($xsl);
+$proc->setParameter('', '', '"\'');
+$proc->transformToXml($dom);
+
+?>
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): Cannot create XPath expression (string contains both quote and double-quotes) in %s on line %d
diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index c88bf762ff..6bf551e3a0 100644
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -157,11 +157,13 @@ static char **php_xsl_xslt_make_params(HashTable *parht, int xpath_params TSRMLS
 			if (!xpath_params) {
 				xpath_expr = php_xsl_xslt_string_to_xpathexpr(Z_STRVAL_PP(value) TSRMLS_CC);
 			} else {
-				xpath_expr = estrndup(Z_STRVAL_PP(value), strlen(Z_STRVAL_PP(value)));
+				xpath_expr = estrndup(Z_STRVAL_PP(value), Z_STRLEN_PP(value));
 			}
 			if (xpath_expr) {
 				params[i++] = string_key;
 				params[i++] = xpath_expr;
+			} else {
+				efree(string_key);
 			}
 		}
 	}