felipe Tue, 20 Apr 2010 16:24:21 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=298224
Log: - Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML) Bug: http://bugs.php.net/51615 (Open) PHP crash with wrong HTML in SimpleXML Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/simplexml/simplexml.c A php/php-src/branches/PHP_5_2/ext/simplexml/tests/bug51615.phpt U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/simplexml/simplexml.c A php/php-src/branches/PHP_5_3/ext/simplexml/tests/bug51615.phpt U php/php-src/trunk/ext/simplexml/simplexml.c A php/php-src/trunk/ext/simplexml/tests/bug51615.phpt Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-04-20 15:59:01 UTC (rev 298223) +++ php/php-src/branches/PHP_5_2/NEWS 2010-04-20 16:24:21 UTC (rev 298224) @@ -12,6 +12,7 @@ - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) +- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML). (Felipe) - Fixed bug #51609 (pg_copy_to: Invalid results when using fourth parameter). (Felipe) - Fixed bug #51608 (pg_copy_to: WARNING: nonstandard use of \\ in a string Modified: php/php-src/branches/PHP_5_2/ext/simplexml/simplexml.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/simplexml/simplexml.c 2010-04-20 15:59:01 UTC (rev 298223) +++ php/php-src/branches/PHP_5_2/ext/simplexml/simplexml.c 2010-04-20 16:24:21 UTC (rev 298224) @@ -969,10 +969,15 @@ static inline char * sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr list, int inLine) { xmlChar *tmp = xmlNodeListGetString(doc, list, inLine); - char *res = estrdup((char*)tmp); - - xmlFree(tmp); + char *res; + if (tmp) { + res = estrdup((char*)tmp); + xmlFree(tmp); + } else { + res = STR_EMPTY_ALLOC(); + } + return res; } Added: php/php-src/branches/PHP_5_2/ext/simplexml/tests/bug51615.phpt =================================================================== --- php/php-src/branches/PHP_5_2/ext/simplexml/tests/bug51615.phpt (rev 0) +++ php/php-src/branches/PHP_5_2/ext/simplexml/tests/bug51615.phpt 2010-04-20 16:24:21 UTC (rev 298224) @@ -0,0 +1,22 @@ +--TEST-- +Bug #51615 (PHP crash with wrong HTML in SimpleXML) +--SKIPIF-- +<?php if (!extension_loaded("simplexml")) print "skip"; ?> +--FILE-- +<?php + +$dom = new DOMDocument; +$dom->loadHTML('<span title=""y">x</span><span title=""z">x</span>'); +$html = simplexml_import_dom($dom); + +foreach ($html->body->span as $obj) { + var_dump((string)$obj->title); +} + +?> +--EXPECTF-- +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d + +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d +string(0) "" +string(0) "" Property changes on: php/php-src/branches/PHP_5_2/ext/simplexml/tests/bug51615.phpt ___________________________________________________________________ Added: svn:keywords + Id Rev Revision Added: svn:eol-style + native Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-04-20 15:59:01 UTC (rev 298223) +++ php/php-src/branches/PHP_5_3/NEWS 2010-04-20 16:24:21 UTC (rev 298224) @@ -18,6 +18,7 @@ requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) +- Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML). (Felipe) - Fixed bug #51609 (pg_copy_to: Invalid results when using fourth parameter). (Felipe) - Fixed bug #51608 (pg_copy_to: WARNING: nonstandard use of \\ in a string Modified: php/php-src/branches/PHP_5_3/ext/simplexml/simplexml.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/simplexml/simplexml.c 2010-04-20 15:59:01 UTC (rev 298223) +++ php/php-src/branches/PHP_5_3/ext/simplexml/simplexml.c 2010-04-20 16:24:21 UTC (rev 298224) @@ -988,10 +988,15 @@ static inline char * sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr list, int inLine) /* {{{ */ { xmlChar *tmp = xmlNodeListGetString(doc, list, inLine); - char *res = estrdup((char*)tmp); + char *res; + + if (tmp) { + res = estrdup((char*)tmp); + xmlFree(tmp); + } else { + res = STR_EMPTY_ALLOC(); + } - xmlFree(tmp); - return res; } /* }}} */ Added: php/php-src/branches/PHP_5_3/ext/simplexml/tests/bug51615.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/simplexml/tests/bug51615.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/simplexml/tests/bug51615.phpt 2010-04-20 16:24:21 UTC (rev 298224) @@ -0,0 +1,22 @@ +--TEST-- +Bug #51615 (PHP crash with wrong HTML in SimpleXML) +--SKIPIF-- +<?php if (!extension_loaded("simplexml")) print "skip"; ?> +--FILE-- +<?php + +$dom = new DOMDocument; +$dom->loadHTML('<span title=""y">x</span><span title=""z">x</span>'); +$html = simplexml_import_dom($dom); + +foreach ($html->body->span as $obj) { + var_dump((string)$obj->title); +} + +?> +--EXPECTF-- +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d + +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d +string(0) "" +string(0) "" Property changes on: php/php-src/branches/PHP_5_3/ext/simplexml/tests/bug51615.phpt ___________________________________________________________________ Added: svn:keywords + Id Rev Revision Added: svn:eol-style + native Modified: php/php-src/trunk/ext/simplexml/simplexml.c =================================================================== --- php/php-src/trunk/ext/simplexml/simplexml.c 2010-04-20 15:59:01 UTC (rev 298223) +++ php/php-src/trunk/ext/simplexml/simplexml.c 2010-04-20 16:24:21 UTC (rev 298224) @@ -988,10 +988,15 @@ static inline char * sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr list, int inLine) /* {{{ */ { xmlChar *tmp = xmlNodeListGetString(doc, list, inLine); - char *res = estrdup((char*)tmp); + char *res; + + if (tmp) { + res = estrdup((char*)tmp); + xmlFree(tmp); + } else { + res = STR_EMPTY_ALLOC(); + } - xmlFree(tmp); - return res; } /* }}} */ Added: php/php-src/trunk/ext/simplexml/tests/bug51615.phpt =================================================================== --- php/php-src/trunk/ext/simplexml/tests/bug51615.phpt (rev 0) +++ php/php-src/trunk/ext/simplexml/tests/bug51615.phpt 2010-04-20 16:24:21 UTC (rev 298224) @@ -0,0 +1,22 @@ +--TEST-- +Bug #51615 (PHP crash with wrong HTML in SimpleXML) +--SKIPIF-- +<?php if (!extension_loaded("simplexml")) print "skip"; ?> +--FILE-- +<?php + +$dom = new DOMDocument; +$dom->loadHTML('<span title=""y">x</span><span title=""z">x</span>'); +$html = simplexml_import_dom($dom); + +foreach ($html->body->span as $obj) { + var_dump((string)$obj->title); +} + +?> +--EXPECTF-- +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d + +Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d +string(0) "" +string(0) "" Property changes on: php/php-src/trunk/ext/simplexml/tests/bug51615.phpt ___________________________________________________________________ Added: svn:keywords + Id Rev Revision Added: svn:eol-style + native
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php