From d94846c3b4d6cfc2564b59aebcb9abe6b347ace6 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 29 Sep 2025 15:18:03 +0200 Subject: [PATCH 1/2] Fix GH-19988: zend_string_init with NULL pointer in simplexml (UB) Normally, simplexml cannot import document nodes, but xsl allows to circumvent this. A document does not have a name, so we return the empty string in that case. While we could add an explicit check, we might as well switch the macro to a form that would be more optimal anyway as many tag names can be single characters. The test was added in xsl because adding it in simplexml would break out-of-tree builds of simplexml. Closes GH-19990. --- NEWS | 4 ++++ ext/simplexml/simplexml.c | 2 +- ext/xsl/tests/gh19988.phpt | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 ext/xsl/tests/gh19988.phpt diff --git a/NEWS b/NEWS index fc3c0662b93..249ef8f98ed 100644 --- a/NEWS +++ b/NEWS @@ -27,6 +27,10 @@ PHP NEWS of the curl_copy_handle() function to clone a CurlHandle. (timwolla) . Fix curl build failure on macOS+curl 8.16. (nielsdos) +- SimpleXML: + . Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)). + (nielsdos) + - Soap: . Fixed bug GH-19784 (SoapServer memory leak). (nielsdos) diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index 11f497a6673..6eae5650340 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -1661,7 +1661,7 @@ PHP_METHOD(SimpleXMLElement, getName) node = php_sxe_get_first_node(sxe, node); if (node) { namelen = xmlStrlen(node->name); - RETURN_STRINGL((char*)node->name, namelen); + RETURN_STRINGL_FAST((const char *) node->name, namelen); } else { RETURN_EMPTY_STRING(); } diff --git a/ext/xsl/tests/gh19988.phpt b/ext/xsl/tests/gh19988.phpt new file mode 100644 index 00000000000..174af282f9c --- /dev/null +++ b/ext/xsl/tests/gh19988.phpt @@ -0,0 +1,19 @@ +--TEST-- +GH-19988 (zend_string_init with NULL pointer in simplexml (UB)) +--EXTENSIONS-- +simplexml +xsl +--CREDITS-- +YuanchengJiang +--FILE-- +load(__DIR__ . '/53965/collection.xsl'); +$processor->importStylesheet($dom); +$result = $processor->transformToDoc($sxe, SimpleXMLElement::class); +var_dump($result->getName()); +?> +--EXPECT-- +string(0) "" From 190f427198b2e789f33f8ba8a225a9140458786a Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 29 Sep 2025 16:05:33 +0200 Subject: [PATCH 2/2] Fix NEWS order --- NEWS | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 249ef8f98ed..3955fab9ed2 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,11 @@ PHP NEWS . Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured). (nielsdos) +- Curl: + . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead + of the curl_copy_handle() function to clone a CurlHandle. (timwolla) + . Fix curl build failure on macOS+curl 8.16. (nielsdos) + - Date: . Fixed GH-17159: "P" format for ::createFromFormat swallows string literals. (nielsdos) @@ -22,11 +27,6 @@ PHP NEWS - DBA: . Fixed GH-19885 (dba_fetch() overflow on skip argument). (David Carlier) -- Curl: - . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead - of the curl_copy_handle() function to clone a CurlHandle. (timwolla) - . Fix curl build failure on macOS+curl 8.16. (nielsdos) - - SimpleXML: . Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)). (nielsdos)