rrichards               Fri Jun  6 15:04:32 2003 EDT

  Modified files:              
    /php4/ext/dom       php_dom.c 
  Log:
  fix double free issue
  fix property access within invalid objects and failed reads
  
Index: php4/ext/dom/php_dom.c
diff -u php4/ext/dom/php_dom.c:1.3 php4/ext/dom/php_dom.c:1.4
--- php4/ext/dom/php_dom.c:1.3  Thu Jun  5 14:54:25 2003
+++ php4/ext/dom/php_dom.c      Fri Jun  6 15:04:32 2003
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: php_dom.c,v 1.3 2003/06/05 18:54:25 sterling Exp $ */
+/* $Id: php_dom.c,v 1.4 2003/06/06 19:04:32 rrichards Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -235,21 +235,26 @@
 
        ret = FAILURE;
        obj = (dom_object *)zend_objects_get_address(object TSRMLS_CC);
-       if (obj->prop_handler != NULL) {
-               ret = zend_hash_find(obj->prop_handler, Z_STRVAL_P(member), 
Z_STRLEN_P(member)+1, (void **) &hnd);
-       }
-       if (ret == SUCCESS) {
-               hnd->read_func(obj, &retval TSRMLS_CC);
-               if (retval) {
-                       /* ensure we're creating a temporary variable */
-                       retval->refcount = 1;
-                       PZVAL_UNLOCK(retval);
+       if (obj->ptr != NULL) {
+               if (obj->prop_handler != NULL) {
+                       ret = zend_hash_find(obj->prop_handler, Z_STRVAL_P(member), 
Z_STRLEN_P(member)+1, (void **) &hnd);
+               }
+               if (ret == SUCCESS) {
+                       ret = hnd->read_func(obj, &retval TSRMLS_CC);
+                       if (ret == SUCCESS) {
+                               /* ensure we're creating a temporary variable */
+                               retval->refcount = 1;
+                               PZVAL_UNLOCK(retval);
+                       } else {
+                               retval = EG(uninitialized_zval_ptr);
+                       }
                } else {
-                       retval = EG(uninitialized_zval_ptr);
+                       std_hnd = zend_get_std_object_handlers();
+                       retval = std_hnd->read_property(object, member TSRMLS_CC);
                }
        } else {
-               std_hnd = zend_get_std_object_handlers();
-               retval = std_hnd->read_property(object, member TSRMLS_CC);
+               retval = EG(uninitialized_zval_ptr);
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Underlying object 
missing");
        }
        if (member == &tmp_member) {
                zval_dtor(member);
@@ -276,15 +281,18 @@
 
        ret = FAILURE;
        obj = (dom_object *)zend_objects_get_address(object TSRMLS_CC);
-
-       if (obj->prop_handler != NULL) {
-               ret = zend_hash_find((HashTable *)obj->prop_handler, 
Z_STRVAL_P(member), Z_STRLEN_P(member)+1, (void **) &hnd);
-       }
-       if (ret == SUCCESS) {
-               hnd->write_func(obj, value TSRMLS_CC);
+       if (obj->ptr != NULL) {
+               if (obj->prop_handler != NULL) {
+                       ret = zend_hash_find((HashTable *)obj->prop_handler, 
Z_STRVAL_P(member), Z_STRLEN_P(member)+1, (void **) &hnd);
+               }
+               if (ret == SUCCESS) {
+                       hnd->write_func(obj, value TSRMLS_CC);
+               } else {
+                       std_hnd = zend_get_std_object_handlers();
+                       std_hnd->write_property(object, member, value TSRMLS_CC);
+               }
        } else {
-               std_hnd = zend_get_std_object_handlers();
-               std_hnd->write_property(object, member, value TSRMLS_CC);
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Underlying object 
missing");
        }
        if (member == &tmp_member) {
                zval_dtor(member);
@@ -668,7 +676,7 @@
        xmlNodePtr curnode;
 
        if (node != NULL) {
-               curnode = node->last;
+               curnode = node;
                while (curnode != NULL) {
                        node = curnode;
                        node_free_list(node->children TSRMLS_CC);
@@ -685,7 +693,7 @@
                        }
                        
                        dom_unregister_node(node TSRMLS_CC);
-                       curnode = node->prev;
+                       curnode = node->next;
                        xmlUnlinkNode(node);
                        xmlFreeNode(node);
                }
@@ -758,7 +766,7 @@
                                                xmlFreeNode((xmlNode *) node);
                                }
                        } else {
-                               dom_object_set_data(node, NULL TSRMLS_CC);
+                               dom_unregister_node(node TSRMLS_CC);
                        }
        }
 }



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to