[PHP-CVS] com php-src: truncate results at depth of 255 to prevent corruption: ext/xml/xml.c
Commit:fd803718df0aa413fd8c47eaa030fcc61f3feb28 Author:Rob Richards rricha...@php.net Sat, 6 Jul 2013 07:53:07 -0400 Committer: Johannes Schlüter johan...@php.net Wed, 10 Jul 2013 19:40:44 +0200 Parents: 55c279ed3fd6de8ce4d9d16d98ae7bce1a8b73fa Branches: PHP-5.3.27 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=fd803718df0aa413fd8c47eaa030fcc61f3feb28 Log: truncate results at depth of 255 to prevent corruption Changed paths: M ext/xml/xml.c Diff: diff --git a/ext/xml/xml.c b/ext/xml/xml.c index 1f0480b..9f0bc30 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -427,7 +427,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC) } if (parser-ltags) { int inx; - for (inx = 0; inx parser-level; inx++) + for (inx = 0; ((inx parser-level) (inx XML_MAXLEVEL)); inx++) efree(parser-ltags[ inx ]); efree(parser-ltags); } @@ -905,45 +905,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch } if (parser-data) { - zval *tag, *atr; - int atcnt = 0; + if (parser-level = XML_MAXLEVEL) { + zval *tag, *atr; + int atcnt = 0; - MAKE_STD_ZVAL(tag); - MAKE_STD_ZVAL(atr); + MAKE_STD_ZVAL(tag); + MAKE_STD_ZVAL(atr); - array_init(tag); - array_init(atr); + array_init(tag); + array_init(atr); - _xml_add_to_info(parser,((char *) tag_name) + parser-toffset); + _xml_add_to_info(parser,((char *) tag_name) + parser-toffset); - add_assoc_string(tag,tag,((char *) tag_name) + parser-toffset,1); /* cast to avoid gcc-warning */ - add_assoc_string(tag,type,open,1); - add_assoc_long(tag,level,parser-level); + add_assoc_string(tag,tag,((char *) tag_name) + parser-toffset,1); /* cast to avoid gcc-warning */ + add_assoc_string(tag,type,open,1); + add_assoc_long(tag,level,parser-level); - parser-ltags[parser-level-1] = estrdup(tag_name); - parser-lastwasopen = 1; + parser-ltags[parser-level-1] = estrdup(tag_name); + parser-lastwasopen = 1; - attributes = (const XML_Char **) attrs; + attributes = (const XML_Char **) attrs; - while (attributes *attributes) { - att = _xml_decode_tag(parser, attributes[0]); - val = xml_utf8_decode(attributes[1], strlen(attributes[1]), val_len, parser-target_encoding); - - add_assoc_stringl(atr,att,val,val_len,0); + while (attributes *attributes) { + att = _xml_decode_tag(parser, attributes[0]); + val = xml_utf8_decode(attributes[1], strlen(attributes[1]), val_len, parser-target_encoding); - atcnt++; - attributes += 2; + add_assoc_stringl(atr,att,val,val_len,0); - efree(att); - } + atcnt++; + attributes += 2; - if (atcnt) { - zend_hash_add(Z_ARRVAL_P(tag),attributes,sizeof(attributes),atr,sizeof(zval*),NULL); - } else { - zval_ptr_dtor(atr); - } + efree(att); + } + + if (atcnt) { + zend_hash_add(Z_ARRVAL_P(tag),attributes,sizeof(attributes),atr,sizeof(zval*),NULL); + } else { + zval_ptr_dtor(atr); + } - zend_hash_next_index_insert(Z_ARRVAL_P(parser-data),tag,sizeof(zval*),(void *) parser-ctag); + zend_hash_next_index_insert(Z_ARRVAL_P(parser-data),tag,sizeof(zval*),(void *) parser-ctag); + } else if (parser-level == (XML_MAXLEVEL + 1)) { + TSRMLS_FETCH(); + php_error_docref(NULL TSRMLS_CC, E_WARNING,
[PHP-CVS] com php-src: truncate results at depth of 255 to prevent corruption: ext/xml/xml.c
Commit:7d163e8a0880ae8af2dd869071393e5dc07ef271 Author:Rob Richards rricha...@php.net Sat, 6 Jul 2013 07:53:07 -0400 Parents: e964817b244d091dc38f59f5d7f1735110b698af Branches: PHP-5.3 PHP-5.4 PHP-5.5 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=7d163e8a0880ae8af2dd869071393e5dc07ef271 Log: truncate results at depth of 255 to prevent corruption Changed paths: M ext/xml/xml.c Diff: diff --git a/ext/xml/xml.c b/ext/xml/xml.c index 1f0480b..9f0bc30 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -427,7 +427,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC) } if (parser-ltags) { int inx; - for (inx = 0; inx parser-level; inx++) + for (inx = 0; ((inx parser-level) (inx XML_MAXLEVEL)); inx++) efree(parser-ltags[ inx ]); efree(parser-ltags); } @@ -905,45 +905,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch } if (parser-data) { - zval *tag, *atr; - int atcnt = 0; + if (parser-level = XML_MAXLEVEL) { + zval *tag, *atr; + int atcnt = 0; - MAKE_STD_ZVAL(tag); - MAKE_STD_ZVAL(atr); + MAKE_STD_ZVAL(tag); + MAKE_STD_ZVAL(atr); - array_init(tag); - array_init(atr); + array_init(tag); + array_init(atr); - _xml_add_to_info(parser,((char *) tag_name) + parser-toffset); + _xml_add_to_info(parser,((char *) tag_name) + parser-toffset); - add_assoc_string(tag,tag,((char *) tag_name) + parser-toffset,1); /* cast to avoid gcc-warning */ - add_assoc_string(tag,type,open,1); - add_assoc_long(tag,level,parser-level); + add_assoc_string(tag,tag,((char *) tag_name) + parser-toffset,1); /* cast to avoid gcc-warning */ + add_assoc_string(tag,type,open,1); + add_assoc_long(tag,level,parser-level); - parser-ltags[parser-level-1] = estrdup(tag_name); - parser-lastwasopen = 1; + parser-ltags[parser-level-1] = estrdup(tag_name); + parser-lastwasopen = 1; - attributes = (const XML_Char **) attrs; + attributes = (const XML_Char **) attrs; - while (attributes *attributes) { - att = _xml_decode_tag(parser, attributes[0]); - val = xml_utf8_decode(attributes[1], strlen(attributes[1]), val_len, parser-target_encoding); - - add_assoc_stringl(atr,att,val,val_len,0); + while (attributes *attributes) { + att = _xml_decode_tag(parser, attributes[0]); + val = xml_utf8_decode(attributes[1], strlen(attributes[1]), val_len, parser-target_encoding); - atcnt++; - attributes += 2; + add_assoc_stringl(atr,att,val,val_len,0); - efree(att); - } + atcnt++; + attributes += 2; - if (atcnt) { - zend_hash_add(Z_ARRVAL_P(tag),attributes,sizeof(attributes),atr,sizeof(zval*),NULL); - } else { - zval_ptr_dtor(atr); - } + efree(att); + } + + if (atcnt) { + zend_hash_add(Z_ARRVAL_P(tag),attributes,sizeof(attributes),atr,sizeof(zval*),NULL); + } else { + zval_ptr_dtor(atr); + } - zend_hash_next_index_insert(Z_ARRVAL_P(parser-data),tag,sizeof(zval*),(void *) parser-ctag); + zend_hash_next_index_insert(Z_ARRVAL_P(parser-data),tag,sizeof(zval*),(void *) parser-ctag); + } else if (parser-level == (XML_MAXLEVEL + 1)) { + TSRMLS_FETCH(); + php_error_docref(NULL TSRMLS_CC, E_WARNING, Maximum depth exceeded - Results truncated); +