Skip to content

Instantly share code, notes, and snippets.

/73293.diff Secret
Created Oct 11, 2016

Embed
What would you like to do?
Patch for 73293
commit 96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e
Author: Stanislav Malyshev <stas@php.net>
Date: Tue Oct 11 13:30:52 2016 -0700
Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index c57c003..dadeaf5 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -665,7 +665,7 @@ END_EXTERN_C()
} \
RETURN_FALSE; \
} \
- RETVAL_STRINGL((s), __len, (dup)); \
+ RETVAL_STRINGL((s), (int)__len, (dup)); \
} while (0)
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index 07fc654..d7077fc 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -1412,9 +1412,15 @@ SXE_METHOD(asXML)
if (node) {
if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) {
xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, ((xmlDocPtr) sxe->document->ptr)->encoding);
+ if (!strval) {
+ RETVAL_FALSE;
+ } else {
RETVAL_STRINGL((char *)strval, strval_len, 1);
+ }
xmlFree(strval);
} else {
+ char *return_content;
+ size_t return_len;
/* Should we be passing encoding information instead of NULL? */
outbuf = xmlAllocOutputBuffer(NULL);
@@ -1425,10 +1431,17 @@ SXE_METHOD(asXML)
xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, ((xmlDocPtr) sxe->document->ptr)->encoding);
xmlOutputBufferFlush(outbuf);
#ifdef LIBXML2_NEW_BUFFER
- RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf), 1);
+ return_content = (char *)xmlOutputBufferGetContent(outbuf);
+ return_len = xmlOutputBufferGetSize(outbuf);
#else
- RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use, 1);
+ return_content = (char *)outbuf->buffer->content;
+ return_len = outbuf->buffer->use;
#endif
+ if (!return_content) {
+ RETVAL_FALSE;
+ } else {
+ RETVAL_STRINGL_CHECK(return_content, return_len, 1);
+ }
xmlOutputBufferClose(outbuf);
}
} else {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.