scottmac                                 Fri, 13 May 2011 05:54:34 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=310981

Log:
Fix use after free() in XMLReader::xml()

Changed paths:
    U   php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c
    U   php/php-src/trunk/ext/xmlreader/php_xmlreader.c

Modified: php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c  2011-05-13 
05:06:48 UTC (rev 310980)
+++ php/php-src/branches/PHP_5_3/ext/xmlreader/php_xmlreader.c  2011-05-13 
05:54:34 UTC (rev 310981)
@@ -1092,9 +1092,7 @@
                        uri = (char *) xmlCanonicPath((const xmlChar *) 
resolved_path);
                }
                reader = xmlNewTextReader(inputbfr, uri);
-               if (uri) {
-                       xmlFree(uri);
-               }
+
                if (reader != NULL) {
 #if LIBXML_VERSION >= 20628
                        ret = xmlTextReaderSetup(reader, NULL, uri, encoding, 
options);
@@ -1108,11 +1106,20 @@
                                }
                                intern->input = inputbfr;
                                intern->ptr = reader;
+
+                               if (uri) {
+                                       xmlFree(uri);
+                               }
+
                                return;
                        }
                }
        }

+       if (uri) {
+               xmlFree(uri);
+       }
+
        if (inputbfr) {
                xmlFreeParserInputBuffer(inputbfr);
        }

Modified: php/php-src/trunk/ext/xmlreader/php_xmlreader.c
===================================================================
--- php/php-src/trunk/ext/xmlreader/php_xmlreader.c     2011-05-13 05:06:48 UTC 
(rev 310980)
+++ php/php-src/trunk/ext/xmlreader/php_xmlreader.c     2011-05-13 05:54:34 UTC 
(rev 310981)
@@ -30,6 +30,7 @@
 #ifdef HAVE_DOM
 #include "ext/dom/xml_common.h"
 #endif
+#include <libxml/xmlreader.h>
 #include <libxml/uri.h>

 zend_class_entry *xmlreader_class_entry;
@@ -1091,9 +1092,7 @@
                        uri = (char *) xmlCanonicPath((const xmlChar *) 
resolved_path);
                }
                reader = xmlNewTextReader(inputbfr, uri);
-               if (uri) {
-                       xmlFree(uri);
-               }
+
                if (reader != NULL) {
 #if LIBXML_VERSION >= 20628
                        ret = xmlTextReaderSetup(reader, NULL, uri, encoding, 
options);
@@ -1107,11 +1106,20 @@
                                }
                                intern->input = inputbfr;
                                intern->ptr = reader;
+
+                               if (uri) {
+                                       xmlFree(uri);
+                               }
+
                                return;
                        }
                }
        }

+       if (uri) {
+               xmlFree(uri);
+       }
+
        if (inputbfr) {
                xmlFreeParserInputBuffer(inputbfr);
        }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to