From 63e1ebe78d6c49907ee47fd268654a5cef1bf65a Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Tue, 1 Oct 2024 19:55:23 +0200 Subject: [PATCH] Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames() A namespace without a prefix is by definition always the "xmlns" namespace. Closes GH-16155. --- NEWS | 2 ++ ext/dom/element.c | 6 +++++- ext/dom/tests/gh16149.phpt | 14 ++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ext/dom/tests/gh16149.phpt diff --git a/NEWS b/NEWS index 315509a4a3a..55f6d7efcd2 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,8 @@ PHP NEWS - DOM: . Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c). (nielsdos) + . Fixed bug GH-16149 (Null pointer dereference in + DOMElement->getAttributeNames()). (nielsdos) - JSON: . Fixed bug GH-15168 (stack overflow in json_encode()). (nielsdos) diff --git a/ext/dom/element.c b/ext/dom/element.c index 46f1100a767..0b4117fb08e 100644 --- a/ext/dom/element.c +++ b/ext/dom/element.c @@ -339,7 +339,11 @@ PHP_METHOD(DOMElement, getAttributeNames) for (xmlNsPtr nsptr = nodep->nsDef; nsptr; nsptr = nsptr->next) { const char *prefix = (const char *) nsptr->prefix; - ZVAL_STR(&tmp, dom_node_concatenated_name_helper(strlen(prefix), prefix, strlen("xmlns"), (const char *) "xmlns")); + if (prefix == NULL) { + ZVAL_STRING(&tmp, "xmlns"); + } else { + ZVAL_STR(&tmp, dom_node_concatenated_name_helper(strlen(prefix), prefix, strlen("xmlns"), (const char *) "xmlns")); + } zend_hash_next_index_insert(ht, &tmp); } diff --git a/ext/dom/tests/gh16149.phpt b/ext/dom/tests/gh16149.phpt new file mode 100644 index 00000000000..c6e1140e75f --- /dev/null +++ b/ext/dom/tests/gh16149.phpt @@ -0,0 +1,14 @@ +--TEST-- +GH-16149 (Null pointer dereference in DOMElement->getAttributeNames()) +--EXTENSIONS-- +dom +--FILE-- +getAttributeNames()); +?> +--EXPECT-- +array(1) { + [0]=> + string(5) "xmlns" +}