mirror of
https://github.com/php/php-src.git
synced 2026-03-24 00:02:20 +01:00
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2: Fix UAF when removing doctype and using foreach iteration
This commit is contained in:
Niels Dossche
3
NEWS
3
NEWS
@@ -16,6 +16,9 @@ PHP NEWS
|
|||||||
. Fixed case when curl_error returns an empty string.
|
. Fixed case when curl_error returns an empty string.
|
||||||
(David Carlier)
|
(David Carlier)
|
||||||
|
|
||||||
|
- DOM:
|
||||||
|
. Fix UAF when removing doctype and using foreach iteration. (nielsdos)
|
||||||
|
|
||||||
- FFI:
|
- FFI:
|
||||||
. Fixed bug GH-14286 (ffi enum type (when enum has no name) make memory
|
. Fixed bug GH-14286 (ffi enum type (when enum has no name) make memory
|
||||||
leak). (nielsdos, dstogov)
|
leak). (nielsdos, dstogov)
|
||||||
|
|||||||
@@ -305,7 +305,7 @@ zend_object_iterator *php_dom_get_iterator(zend_class_entry *ce, zval *object, i
|
|||||||
if (objmap->nodetype == XML_ATTRIBUTE_NODE) {
|
if (objmap->nodetype == XML_ATTRIBUTE_NODE) {
|
||||||
curnode = (xmlNodePtr) basep->properties;
|
curnode = (xmlNodePtr) basep->properties;
|
||||||
} else {
|
} else {
|
||||||
curnode = (xmlNodePtr) basep->children;
|
curnode = dom_nodelist_iter_start_first_child(basep);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
xmlNodePtr nodep = basep;
|
xmlNodePtr nodep = basep;
|
||||||
|
|||||||
@@ -49,7 +49,7 @@ static zend_always_inline void reset_objmap_cache(dom_nnodemap_object *objmap)
|
|||||||
objmap->cached_length = -1;
|
objmap->cached_length = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
static xmlNodePtr dom_nodelist_iter_start_first_child(xmlNodePtr nodep)
|
xmlNodePtr dom_nodelist_iter_start_first_child(xmlNodePtr nodep)
|
||||||
{
|
{
|
||||||
if (nodep->type == XML_ENTITY_REF_NODE) {
|
if (nodep->type == XML_ENTITY_REF_NODE) {
|
||||||
/* See entityreference.c */
|
/* See entityreference.c */
|
||||||
|
|||||||
@@ -174,6 +174,7 @@ void php_dom_named_node_map_get_item_into_zval(dom_nnodemap_object *objmap, zend
|
|||||||
void php_dom_nodelist_get_item_into_zval(dom_nnodemap_object *objmap, zend_long index, zval *return_value);
|
void php_dom_nodelist_get_item_into_zval(dom_nnodemap_object *objmap, zend_long index, zval *return_value);
|
||||||
int php_dom_get_namednodemap_length(dom_object *obj);
|
int php_dom_get_namednodemap_length(dom_object *obj);
|
||||||
int php_dom_get_nodelist_length(dom_object *obj);
|
int php_dom_get_nodelist_length(dom_object *obj);
|
||||||
|
xmlNodePtr dom_nodelist_iter_start_first_child(xmlNodePtr nodep);
|
||||||
|
|
||||||
#define DOM_GET_INTERN(__id, __intern) { \
|
#define DOM_GET_INTERN(__id, __intern) { \
|
||||||
__intern = Z_DOMOBJ_P(__id); \
|
__intern = Z_DOMOBJ_P(__id); \
|
||||||
|
|||||||
26
ext/dom/tests/uaf_doctype_iterator.phpt
Normal file
26
ext/dom/tests/uaf_doctype_iterator.phpt
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
--TEST--
|
||||||
|
UAF when removing doctype and iterating over the child nodes
|
||||||
|
--EXTENSIONS--
|
||||||
|
dom
|
||||||
|
--CREDITS--
|
||||||
|
Yuancheng Jiang
|
||||||
|
--FILE--
|
||||||
|
<?php
|
||||||
|
$dom = new DOMDocument;
|
||||||
|
$dom->loadXML(<<<XML
|
||||||
|
<!DOCTYPE foo [
|
||||||
|
<!ENTITY foo1 "bar1">
|
||||||
|
]>
|
||||||
|
<foo>&foo1;</foo>
|
||||||
|
XML);
|
||||||
|
$ref = $dom->documentElement->firstChild;
|
||||||
|
$nodes = $ref->childNodes;
|
||||||
|
$dom->removeChild($dom->doctype);
|
||||||
|
foreach($nodes as $str) {}
|
||||||
|
var_dump($nodes);
|
||||||
|
?>
|
||||||
|
--EXPECTF--
|
||||||
|
object(DOMNodeList)#%d (1) {
|
||||||
|
["length"]=>
|
||||||
|
int(0)
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user