From: Rob Richards <rrichards@php.net>
Date: Fri, 12 Dec 2008 04:16:21 +0000 (+0000)
Subject: MFH: fix bug #46699: (xml_parse crash when parser is namespace aware)
X-Git-Tag: php-5.3.0beta1~448
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ca954ad613db9384af2d280cada5f8cb217bb3e1;p=php

MFH: fix bug #46699: (xml_parse crash when parser is namespace aware)
fix a couple warnings
add test
---

diff --git a/ext/xml/compat.c b/ext/xml/compat.c
index 7b4c90dbde..2c4d76aa76 100644
--- a/ext/xml/compat.c
+++ b/ext/xml/compat.c
@@ -40,7 +40,7 @@ _qualify_namespace(XML_Parser parser, const xmlChar *name, const xmlChar *URI, x
 			/* Use libxml functions otherwise its memory deallocation is screwed up */
 			*qualified = xmlStrdup(URI);
 			*qualified = xmlStrncat(*qualified, parser->_ns_seperator, 1);
-			*qualified = xmlStrncat(*qualified, name, strlen(name));
+			*qualified = xmlStrncat(*qualified, name, xmlStrlen(name));
 	} else {
 		*qualified = xmlStrdup(name);
 	}
@@ -104,7 +104,66 @@ _start_element_handler_ns(void *user, const xmlChar *name, const xmlChar *prefix
 		y = 0;
 	}
 	
-	if (parser->h_start_element == NULL && parser->h_default == NULL) {
+	if (parser->h_start_element == NULL) {
+	 	if (parser->h_default) {
+
+			if (prefix) {
+				qualified_name = xmlStrncatNew((xmlChar *)"<", prefix, xmlStrlen(prefix));
+				qualified_name = xmlStrncat(qualified_name, (xmlChar *)":", 1);
+				qualified_name = xmlStrncat(qualified_name, name, xmlStrlen(name));
+			} else {
+				qualified_name = xmlStrncatNew((xmlChar *)"<", name, xmlStrlen(name));
+			}
+			
+			if (namespaces) {
+				int i, j;
+				for (i = 0,j = 0;j < nb_namespaces;j++) {
+					int ns_len;
+					char *ns_string, *ns_prefix, *ns_url;
+					
+					ns_prefix = (char *) namespaces[i++];
+					ns_url = (char *) namespaces[i++];
+					
+					if (ns_prefix) {
+						ns_len = spprintf(&ns_string, 0, " xmlns:%s=\"%s\"", ns_prefix, ns_url);
+					} else {
+						ns_len = spprintf(&ns_string, 0, " xmlns=\"%s\"", ns_url);
+					}
+					qualified_name = xmlStrncat(qualified_name, (xmlChar *)ns_string, ns_len);
+					
+					efree(ns_string);
+				}
+			}
+			
+			if (attributes) {
+				for (i = 0; i < nb_attributes; i += 1) {
+					int att_len;
+					char *att_string, *att_name, *att_value, *att_prefix, *att_valueend;
+
+					att_name = (char *) attributes[y++];
+					att_prefix = (char *)attributes[y++];
+					y++;
+					att_value = (char *)attributes[y++];
+					att_valueend = (char *)attributes[y++];
+
+					if (att_prefix) {
+						att_len = spprintf(&att_string, 0, " %s:%s=\"", att_prefix, att_name);
+					} else {
+						att_len = spprintf(&att_string, 0, " %s=\"", att_name);
+					}
+
+					qualified_name = xmlStrncat(qualified_name, (xmlChar *)att_string, att_len);
+					qualified_name = xmlStrncat(qualified_name, (xmlChar *)att_value, att_valueend - att_value);
+					qualified_name = xmlStrncat(qualified_name, (xmlChar *)"\"", 1);
+					
+					efree(att_string);
+				}
+
+			}
+			qualified_name = xmlStrncat(qualified_name, (xmlChar *)">", 1);
+			parser->h_default(parser->user, (const XML_Char *) qualified_name, xmlStrlen(qualified_name));
+			xmlFree(qualified_name);
+		}
 		return;
 	}
 	_qualify_namespace(parser, name, URI, &qualified_name);
@@ -178,6 +237,18 @@ _end_element_handler_ns(void *user, const xmlChar *name, const xmlChar * prefix,
 	XML_Parser  parser = (XML_Parser) user;
 
 	if (parser->h_end_element == NULL) {
+		if (parser->h_default) {
+			char *end_element;
+			int end_element_len;
+
+			if (prefix) {
+				end_element_len = spprintf(&end_element, 0, "</%s:%s>", (char *) prefix, (char *)name);
+			} else {
+				end_element_len = spprintf(&end_element, 0, "</%s>", (char *)name);
+			}
+			parser->h_default(parser->user, (const XML_Char *) end_element, end_element_len);
+			efree(end_element);
+		}
 		return;
 	}
 
@@ -212,7 +283,7 @@ _pi_handler(void *user, const xmlChar *target, const xmlChar *data)
 		if (parser->h_default) {
 			char    *full_pi;
 			spprintf(&full_pi, 0, "<?%s %s?>", (char *)target, (char *)data);
-			parser->h_default(parser->user, (const XML_Char *) full_pi, xmlStrlen(full_pi));
+			parser->h_default(parser->user, (const XML_Char *) full_pi, strlen(full_pi));
 			efree(full_pi);
 		}
 		return;
diff --git a/ext/xml/tests/bug46699.phpt b/ext/xml/tests/bug46699.phpt
new file mode 100644
index 0000000000..3996fd1917
--- /dev/null
+++ b/ext/xml/tests/bug46699.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #46699: (xml_parse crash when parser is namespace aware)
+--SKIPIF--
+<?php
+require_once("skipif.inc");
+if (! @xml_parser_create_ns('ISO-8859-1')) { die("skip xml_parser_create_ns is not supported on this platform");}
+?>
+--FILE--
+<?php
+function defaultfunc($parser, $data)
+{
+echo $data;
+}
+
+$xml = <<<HERE
+<a xmlns="http://example.com/foo"
+    xmlns:bar="http://example.com/bar">
+  <bar:b foo="bar">1</bar:b>
+  <bar:c bar:nix="null" foo="bar">2</bar:c>
+</a>
+HERE;
+
+$parser = xml_parser_create_ns("ISO-8859-1","@");
+xml_set_default_handler($parser,'defaultfunc');
+xml_parser_set_option($parser,XML_OPTION_CASE_FOLDING,0);
+xml_parse($parser, $xml);
+xml_parser_free($parser);
+?>
+--EXPECT--
+<a xmlns="http://example.com/foo" xmlns:bar="http://example.com/bar">
+  <bar:b foo="bar">1</bar:b>
+  <bar:c bar:nix="null" foo="bar">2</bar:c>
+</a>