rrichards Fri Jun 6 15:04:32 2003 EDT Modified files: /php4/ext/dom php_dom.c Log: fix double free issue fix property access within invalid objects and failed reads Index: php4/ext/dom/php_dom.c diff -u php4/ext/dom/php_dom.c:1.3 php4/ext/dom/php_dom.c:1.4 --- php4/ext/dom/php_dom.c:1.3 Thu Jun 5 14:54:25 2003 +++ php4/ext/dom/php_dom.c Fri Jun 6 15:04:32 2003 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: php_dom.c,v 1.3 2003/06/05 18:54:25 sterling Exp $ */ +/* $Id: php_dom.c,v 1.4 2003/06/06 19:04:32 rrichards Exp $ */ #ifdef HAVE_CONFIG_H #include "config.h" @@ -235,21 +235,26 @@ ret = FAILURE; obj = (dom_object *)zend_objects_get_address(object TSRMLS_CC); - if (obj->prop_handler != NULL) { - ret = zend_hash_find(obj->prop_handler, Z_STRVAL_P(member), Z_STRLEN_P(member)+1, (void **) &hnd); - } - if (ret == SUCCESS) { - hnd->read_func(obj, &retval TSRMLS_CC); - if (retval) { - /* ensure we're creating a temporary variable */ - retval->refcount = 1; - PZVAL_UNLOCK(retval); + if (obj->ptr != NULL) { + if (obj->prop_handler != NULL) { + ret = zend_hash_find(obj->prop_handler, Z_STRVAL_P(member), Z_STRLEN_P(member)+1, (void **) &hnd); + } + if (ret == SUCCESS) { + ret = hnd->read_func(obj, &retval TSRMLS_CC); + if (ret == SUCCESS) { + /* ensure we're creating a temporary variable */ + retval->refcount = 1; + PZVAL_UNLOCK(retval); + } else { + retval = EG(uninitialized_zval_ptr); + } } else { - retval = EG(uninitialized_zval_ptr); + std_hnd = zend_get_std_object_handlers(); + retval = std_hnd->read_property(object, member TSRMLS_CC); } } else { - std_hnd = zend_get_std_object_handlers(); - retval = std_hnd->read_property(object, member TSRMLS_CC); + retval = EG(uninitialized_zval_ptr); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Underlying object missing"); } if (member == &tmp_member) { zval_dtor(member); @@ -276,15 +281,18 @@ ret = FAILURE; obj = (dom_object *)zend_objects_get_address(object TSRMLS_CC); - - if (obj->prop_handler != NULL) { - ret = zend_hash_find((HashTable *)obj->prop_handler, Z_STRVAL_P(member), Z_STRLEN_P(member)+1, (void **) &hnd); - } - if (ret == SUCCESS) { - hnd->write_func(obj, value TSRMLS_CC); + if (obj->ptr != NULL) { + if (obj->prop_handler != NULL) { + ret = zend_hash_find((HashTable *)obj->prop_handler, Z_STRVAL_P(member), Z_STRLEN_P(member)+1, (void **) &hnd); + } + if (ret == SUCCESS) { + hnd->write_func(obj, value TSRMLS_CC); + } else { + std_hnd = zend_get_std_object_handlers(); + std_hnd->write_property(object, member, value TSRMLS_CC); + } } else { - std_hnd = zend_get_std_object_handlers(); - std_hnd->write_property(object, member, value TSRMLS_CC); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Underlying object missing"); } if (member == &tmp_member) { zval_dtor(member); @@ -668,7 +676,7 @@ xmlNodePtr curnode; if (node != NULL) { - curnode = node->last; + curnode = node; while (curnode != NULL) { node = curnode; node_free_list(node->children TSRMLS_CC); @@ -685,7 +693,7 @@ } dom_unregister_node(node TSRMLS_CC); - curnode = node->prev; + curnode = node->next; xmlUnlinkNode(node); xmlFreeNode(node); } @@ -758,7 +766,7 @@ xmlFreeNode((xmlNode *) node); } } else { - dom_object_set_data(node, NULL TSRMLS_CC); + dom_unregister_node(node TSRMLS_CC); } } }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php