From 427c2441688768e0de51bd71d2ab3fd9df11448d Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 4 May 2024 13:57:50 +0200
Subject: [PATCH] Fix GH-14124: Segmentation fault on unknown address
 0x0001ffff8041 with XML extension under certain memory limit (#14126)

The ltags were not initialized, so when an OOM happens before the new value is written, uninitialized data is used.
---
 NEWS          | 4 ++++
 ext/xml/xml.c | 1 +
 2 files changed, 5 insertions(+)

diff --git a/NEWS b/NEWS
index 570a1b7ad67..dc16e1fdb71 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ PHP                                                                        NEWS
   . Fix crash when calling childNodes next() when iterator is exhausted.
     (nielsdos)
 
+- XML:
+  . Fixed bug GH-14124 (Segmentation fault with XML extension under certain
+    memory limit). (nielsdos)
+
 09 May 2024, PHP 8.2.19
 
 - Core:
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index 1e8a97c9059..59d50faed11 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -1292,6 +1292,7 @@ PHP_FUNCTION(xml_parse_into_struct)
 	parser->level = 0;
 	xml_parser_free_ltags(parser);
 	parser->ltags = safe_emalloc(XML_MAXLEVEL, sizeof(char *), 0);
+	memset(parser->ltags, 0, XML_MAXLEVEL * sizeof(char *));
 
 	XML_SetElementHandler(parser->parser, _xml_startElementHandler, _xml_endElementHandler);
 	XML_SetCharacterDataHandler(parser->parser, _xml_characterDataHandler);