From cf0cf5b5074e0bd00c0e3eb948a7420363a41eed Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 14 Feb 2016 23:35:29 -0800
Subject: [PATCH] Fix bug #71540 - NULL pointer dereference in
 xsl_ext_function_php()

---
 ext/xsl/tests/bug71540.phpt | 67 +++++++++++++++++++++++++++++++++++++
 ext/xsl/xsltprocessor.c     |  4 +++
 2 files changed, 71 insertions(+)
 create mode 100644 ext/xsl/tests/bug71540.phpt

diff --git a/ext/xsl/tests/bug71540.phpt b/ext/xsl/tests/bug71540.phpt
new file mode 100644
index 0000000000..e93fb0e125
--- /dev/null
+++ b/ext/xsl/tests/bug71540.phpt
@@ -0,0 +1,67 @@
+--TEST--
+Bug #71540 (NULL pointer dereference in xsl_ext_function_php())
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+$xml = <<<EOB
+<allusers>
+ <user>
+  <uid>bob</uid>
+ </user>
+</allusers>
+EOB;
+$xsl = <<<EOB
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" 
+     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+     xmlns:php="http://php.net/xsl">
+<xsl:output method="html" encoding="utf-8" indent="yes"/>
+ <xsl:template match="allusers">
+  <html><body>
+    <h2>Users</h2>
+    <table>
+    <xsl:for-each select="user">
+      <tr><td>
+        <xsl:value-of
+             select="php:function('test',uid,test(test))"/>
+      </td></tr>
+    </xsl:for-each>
+    </table>
+  </body></html>
+ </xsl:template>
+</xsl:stylesheet>
+EOB;
+
+$xmldoc = new DOMDocument();
+$xmldoc->loadXML($xml);
+$xsldoc = new DOMDocument();
+$xsldoc->loadXML($xsl);
+
+$proc = new XSLTProcessor();
+$proc->registerPHPFunctions();
+$proc->importStyleSheet($xsldoc);
+echo $proc->transformToXML($xmldoc);
+?>
+DONE
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): xmlXPathCompOpEval: function test not found in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): Unregistered function in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): Stack usage errror in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): Stack usage errror in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 2 objects left on the stack. in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line 13 element value-of in %sbug71540.php on line %d
+
+Warning: XSLTProcessor::transformToXml(): XPath evaluation returned no result. in %sbug71540.php on line %d
+<html xmlns:php="http://php.net/xsl"><body>
+<h2>Users</h2>
+<table><tr><td></td></tr></table>
+</body></html>
+DONE
\ No newline at end of file
diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index be46d38de1..ec3042311d 100644
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -231,6 +231,10 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
 	/* Reverse order to pop values off ctxt stack */
 	for (i = nargs - 2; i >= 0; i--) {
 		obj = valuePop(ctxt);
+		if (obj == NULL) {
+			ZVAL_NULL(&args[i]);
+			continue;
+		}
 		switch (obj->type) {
 			case XPATH_STRING:
 				ZVAL_STRING(&args[i], (char *)obj->stringval);
-- 
2.40.0