Fix #80332: Completely broken array access functionality with DOMNamedNodeMap

nielsdos · nielsdos · commit 052376ec6bcb · 2023-06-17T18:03:46.000+02:00
The problem is the usage of zval_get_long(). In particular, if the
string is non-numeric the result of zval_get_long() will be 0 *without
giving an error or warning*. This is misleading for users: users get the
impression that they can use strings to access the map because it
coincidentally works for the first item (which is at index 0). Of
course, this fails with any other index which causes confusion and bugs.

This patch adds proper support for using string offsets while accessing
the map. It does so by detecting if it's a non-numeric string, and then
using the getNamedItem() method instead of item().

I plan on refactoring this for 8.3 to avoid the double function call
and useless object construction for notations.
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
@@ -1692,18 +1692,51 @@ static zval *dom_nodelist_read_dimension(zend_object *object, zval *offset, int
 		return NULL;
 	}
 
-	ZVAL_LONG(&offset_copy, zval_get_long(offset));
-
+	if (Z_TYPE_P(offset) == IS_STRING) {
+		/* See zval_get_long_func() */
+		zend_long lval;
+		double dval;
+		zend_uchar is_numeric_string_type;
+		if (0 == (is_numeric_string_type = is_numeric_string(Z_STRVAL_P(offset), Z_STRLEN_P(offset), &lval, &dval, true))) {
+			/* exceptional case, switch to named lookup */
+			ZVAL_COPY(&offset_copy, offset);
+			zend_call_method_with_1_params(object, object->ce, NULL, "getNamedItem", rv, &offset_copy);
+			return rv;
+		} else if (EXPECTED(is_numeric_string_type == IS_LONG)) {
+			ZVAL_LONG(&offset_copy, lval);
+		} else {
+			ZVAL_LONG(&offset_copy, zend_dval_to_lval_cap(dval));
+		}
+	} else {
+		ZVAL_LONG(&offset_copy, zval_get_long(offset));
+	}
 	zend_call_method_with_1_params(object, object->ce, NULL, "item", rv, &offset_copy);
 
 	return rv;
 } /* }}} end dom_nodelist_read_dimension */
 
 static int dom_nodelist_has_dimension(zend_object *object, zval *member, int check_empty)
 {
-	zend_long offset = zval_get_long(member);
+	zend_long offset;
 	zval rv;
 
+	if (Z_TYPE_P(member) == IS_STRING) {
+		/* See zval_get_long_func() */
+		double dval;
+		zend_uchar is_numeric_string_type;
+		if (0 == (is_numeric_string_type = is_numeric_string(Z_STRVAL_P(member), Z_STRLEN_P(member), &offset, &dval, true))) {
+			/* exceptional case, switch to named lookup */
+			zend_call_method_with_1_params(object, object->ce, NULL, "getNamedItem", &rv, member);
+			int ret = Z_TYPE(rv) != IS_NULL;
+			zval_ptr_dtor(&rv);
+			return ret;
+		} else if (is_numeric_string_type == IS_DOUBLE) {
+			offset = zend_dval_to_lval_cap(dval);
+		}
+	} else {
+		offset = zval_get_long(member);
+	}
+
 	if (offset < 0) {
 		return 0;
 	} else {
diff --git a/ext/dom/tests/bug80332.phpt b/ext/dom/tests/bug80332.phpt
@@ -58,13 +58,13 @@ Attribute [null] name: attr1
 Attribute [null] value: value1
 Attribute [null] isset: yes
 
-Attribute ['attr2'] name: attr1
-Attribute ['attr2'] value: value1
+Attribute ['attr2'] name: attr2
+Attribute ['attr2'] value: value2
 Attribute ['attr2'] isset: yes
 
-Attribute ['hi'] name: attr1
-Attribute ['hi'] value: value1
-Attribute ['hi'] isset: yes
+Attribute ['hi'] name: /
+Attribute ['hi'] value: /
+Attribute ['hi'] isset: no
 
 Attribute ['0'] name: attr1
 Attribute ['0'] value: value1
