scottmac Fri, 13 May 2011 05:54:34 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=310981
Log: Fix use after free() in XMLReader::xml() Changed paths: U php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c U php/php-src/trunk/ext/xmlreader/php_xmlreader.c Modified: php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c 2011-05-13 05:06:48 UTC (rev 310980) +++ php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c 2011-05-13 05:54:34 UTC (rev 310981) @@ -1092,9 +1092,7 @@ uri = (char *) xmlCanonicPath((const xmlChar *) resolved_path); } reader = xmlNewTextReader(inputbfr, uri); - if (uri) { - xmlFree(uri); - } + if (reader != NULL) { #if LIBXML_VERSION >= 20628 ret = xmlTextReaderSetup(reader, NULL, uri, encoding, options); @@ -1108,11 +1106,20 @@ } intern->input = inputbfr; intern->ptr = reader; + + if (uri) { + xmlFree(uri); + } + return; } } } + if (uri) { + xmlFree(uri); + } + if (inputbfr) { xmlFreeParserInputBuffer(inputbfr); } Modified: php/php-src/trunk/ext/xmlreader/php_xmlreader.c =================================================================== --- php/php-src/trunk/ext/xmlreader/php_xmlreader.c 2011-05-13 05:06:48 UTC (rev 310980) +++ php/php-src/trunk/ext/xmlreader/php_xmlreader.c 2011-05-13 05:54:34 UTC (rev 310981) @@ -30,6 +30,7 @@ #ifdef HAVE_DOM #include "ext/dom/xml_common.h" #endif +#include <libxml/xmlreader.h> #include <libxml/uri.h> zend_class_entry *xmlreader_class_entry; @@ -1091,9 +1092,7 @@ uri = (char *) xmlCanonicPath((const xmlChar *) resolved_path); } reader = xmlNewTextReader(inputbfr, uri); - if (uri) { - xmlFree(uri); - } + if (reader != NULL) { #if LIBXML_VERSION >= 20628 ret = xmlTextReaderSetup(reader, NULL, uri, encoding, options); @@ -1107,11 +1106,20 @@ } intern->input = inputbfr; intern->ptr = reader; + + if (uri) { + xmlFree(uri); + } + return; } } } + if (uri) { + xmlFree(uri); + } + if (inputbfr) { xmlFreeParserInputBuffer(inputbfr); }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php