From 9f7e8b777cb3e8aac53e677f3152af18413ab672 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 11 Mar 2021 22:14:55 +0100 Subject: [PATCH] Fix #80852: Stack-overflow when json_encode()'ing SimpleXMLElement We ignore `XML_ENTITY_DECL` nodes when getting the hash of the properties of a `SimpleXMLElement`. --- ext/simplexml/simplexml.c | 4 ++-- ext/simplexml/tests/bug80852.phpt | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 ext/simplexml/tests/bug80852.phpt diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index ab394b5c83b..81298cd5189 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -1192,7 +1192,7 @@ static HashTable *sxe_get_prop_hash(zval *object, int is_debug) /* {{{ */ } } - if (node->type == XML_ELEMENT_NODE && (! match_ns(sxe, node, sxe->iter.nsprefix, sxe->iter.isprefix))) { + if (node->type == XML_ELEMENT_NODE && (! match_ns(sxe, node, sxe->iter.nsprefix, sxe->iter.isprefix)) || node->type == XML_ENTITY_DECL) { goto next_iter; } @@ -1889,7 +1889,7 @@ static int sxe_object_cast_ex(zval *readobj, zval *writeobj, int type) if (sxe->node && sxe->node->node) { if (sxe->node->node->children) { - contents = xmlNodeListGetString((xmlDocPtr) sxe->document->ptr, sxe->node->node->children, 1); + contents = xmlNodeListGetRawString((xmlDocPtr) sxe->document->ptr, sxe->node->node->children, 1); } } } diff --git a/ext/simplexml/tests/bug80852.phpt b/ext/simplexml/tests/bug80852.phpt new file mode 100644 index 00000000000..abda2deda1e --- /dev/null +++ b/ext/simplexml/tests/bug80852.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #80852 (Stack-overflow when json_encode()'ing SimpleXMLElement) +--SKIPIF-- + +--FILE-- + ]>b&xee2;'; +$sxe = simplexml_load_string($xml); +var_dump(json_encode($sxe)); +var_dump($sxe); +?> +--EXPECT-- +string(11) "{"xee2":{}}" +object(SimpleXMLElement)#1 (1) { + ["xee2"]=> + object(SimpleXMLElement)#3 (0) { + } +}