From: Felipe Pena <felipe@php.net>
Date: Tue, 20 Apr 2010 16:24:21 +0000 (+0000)
Subject: - Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML)
X-Git-Tag: php-5.3.3RC1~291
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=df43d76e62638ab7b1014100da8a670d6872bc61;p=php

- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML)
---

diff --git a/NEWS b/NEWS
index 85316bab20..7b533f1a9c 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,7 @@ PHP                                                                        NEWS
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) 
 
+- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML). (Felipe)
 - Fixed bug #51609 (pg_copy_to: Invalid results when using fourth parameter).
   (Felipe)
 - Fixed bug #51608 (pg_copy_to: WARNING: nonstandard use of \\ in a string
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index f1843b497f..3f41fc8357 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -988,9 +988,14 @@ static void sxe_dimension_delete(zval *object, zval *offset TSRMLS_DC)
 static inline char * sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr list, int inLine) /* {{{ */
 {
 	xmlChar *tmp = xmlNodeListGetString(doc, list, inLine);
-	char    *res = estrdup((char*)tmp);
-
-	xmlFree(tmp);
+	char    *res;
+	
+	if (tmp) {
+		res = estrdup((char*)tmp);
+		xmlFree(tmp);
+	} else {
+		res = STR_EMPTY_ALLOC();
+	}
 
 	return res;
 }
diff --git a/ext/simplexml/tests/bug51615.phpt b/ext/simplexml/tests/bug51615.phpt
new file mode 100644
index 0000000000..c5572f542a
--- /dev/null
+++ b/ext/simplexml/tests/bug51615.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #51615 (PHP crash with wrong HTML in SimpleXML)
+--SKIPIF--
+<?php if (!extension_loaded("simplexml")) print "skip"; ?>
+--FILE--
+<?php
+
+$dom = new DOMDocument;
+$dom->loadHTML('<span title=""y">x</span><span title=""z">x</span>');
+$html = simplexml_import_dom($dom);
+
+foreach ($html->body->span as $obj) {
+	var_dump((string)$obj->title);
+}
+
+?>
+--EXPECTF--
+Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d
+
+Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d
+string(0) ""
+string(0) ""