Skip to content

Commit 3fa5af8

Browse files
nielsdosnielsdos
committed
Fix crashes with entity references and predefined entities
There's two issues here: - freeing of predefined entity declaration crashes (unique to 8.3 & master) - using multiple entity references for a single entity declaration crashes (since forever) The fix for the last issue is fairly easy to do on 8.3, but may require a slightly different approach on 8.2. Therefore, for now this is 8.3-only. Closes GH-13004.
1 parent 8e8d5ce commit 3fa5af8

File tree

4 files changed

+78
-8
lines changed

4 files changed

+78
-8
lines changed

NEWS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ PHP NEWS
2222
(nielsdos)
2323
. Fix crash when toggleAttribute() is used without a document. (nielsdos)
2424
. Fix crash in adoptNode with attribute references. (nielsdos)
25+
. Fix crashes with entity references and predefined entities. (nielsdos)
2526

2627
- FFI:
2728
. Fixed bug GH-9698 (stream_wrapper_register crashes with FFI\CData).

ext/dom/tests/DOMEntityReference_predefined_free.phpt

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
--TEST--
2+
Freeing of a predefined DOMEntityReference
3+
--EXTENSIONS--
4+
dom
5+
--FILE--
6+
<?php
7+
$ref = new DOMEntityReference("amp");
8+
var_dump($ref);
9+
?>
10+
--EXPECT--
11+
object(DOMEntityReference)#1 (17) {
12+
["nodeName"]=>
13+
string(3) "amp"
14+
["nodeValue"]=>
15+
NULL
16+
["nodeType"]=>
17+
int(5)
18+
["parentNode"]=>
19+
NULL
20+
["parentElement"]=>
21+
NULL
22+
["childNodes"]=>
23+
string(22) "(object value omitted)"
24+
["firstChild"]=>
25+
string(22) "(object value omitted)"
26+
["lastChild"]=>
27+
string(22) "(object value omitted)"
28+
["previousSibling"]=>
29+
NULL
30+
["nextSibling"]=>
31+
NULL
32+
["attributes"]=>
33+
NULL
34+
["isConnected"]=>
35+
bool(false)
36+
["namespaceURI"]=>
37+
NULL
38+
["prefix"]=>
39+
string(0) ""
40+
["localName"]=>
41+
NULL
42+
["baseURI"]=>
43+
NULL
44+
["textContent"]=>
45+
string(0) ""
46+
}

ext/dom/tests/delayed_freeing/entity_declaration.phpt

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,16 +9,32 @@ $doc->loadXML(<<<'XML'
99
<?xml version="1.0"?>
1010
<!DOCTYPE books [
1111
<!ENTITY test "entity is only for test purposes">
12+
<!ENTITY myimage PUBLIC "-" "mypicture.gif" NDATA GIF>
1213
]>
1314
<container/>
1415
XML);
15-
$entity = $doc->doctype->entities[0];
16-
var_dump($entity->nodeName, $entity->parentNode->nodeName);
16+
$ref1 = $doc->createEntityReference("test");
17+
$ref2 = $doc->createEntityReference("myimage");
18+
$entity1 = $doc->doctype->entities[0];
19+
$entity2 = $doc->doctype->entities[1];
20+
21+
// Entity order depends on addresses
22+
if ($entity1->nodeName !== "test") {
23+
[$entity1, $entity2] = [$entity2, $entity1];
24+
}
25+
26+
var_dump($entity1->nodeName, $entity1->parentNode->nodeName);
27+
var_dump($entity2->nodeName, $entity2->parentNode->nodeName);
1728
$doc->removeChild($doc->doctype);
18-
var_dump($entity->nodeName, $entity->parentNode);
29+
var_dump($entity1->nodeName, $entity1->parentNode);
30+
var_dump($entity2->nodeName, $entity2->parentNode);
1931
?>
2032
--EXPECT--
2133
string(4) "test"
2234
string(5) "books"
35+
string(7) "myimage"
36+
string(5) "books"
2337
string(4) "test"
2438
NULL
39+
string(7) "myimage"
40+
NULL

ext/libxml/libxml.c

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -206,12 +206,10 @@ static void php_libxml_node_free(xmlNodePtr node)
206206
* dtd is attached to the document. This works around the issue by inspecting the parent directly. */
207207
case XML_ENTITY_DECL: {
208208
xmlEntityPtr entity = (xmlEntityPtr) node;
209-
php_libxml_unlink_entity_decl(entity);
210-
if (entity->orig != NULL) {
211-
xmlFree((char *) entity->orig);
212-
entity->orig = NULL;
209+
if (entity->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
210+
php_libxml_unlink_entity_decl(entity);
211+
xmlFreeEntity(entity);
213212
}
214-
xmlFreeNode(node);
215213
break;
216214
}
217215
case XML_NOTATION_NODE: {
@@ -1385,6 +1383,15 @@ PHP_LIBXML_API void php_libxml_node_free_resource(xmlNodePtr node)
13851383
case XML_DOCUMENT_NODE:
13861384
case XML_HTML_DOCUMENT_NODE:
13871385
break;
1386+
case XML_ENTITY_REF_NODE:
1387+
/* Entity reference nodes are special: their children point to entity declarations,
1388+
* but they don't own the declarations and therefore shouldn't free the children.
1389+
* Moreover, there can be N>1 reference nodes for a single entity declarations. */
1390+
php_libxml_unregister_node(node);
1391+
if (node->parent == NULL) {
1392+
php_libxml_node_free(node);
1393+
}
1394+
break;
13881395
default:
13891396
if (node->parent == NULL || node->type == XML_NAMESPACE_DECL) {
13901397
php_libxml_node_free_list((xmlNodePtr) node->children);

0 commit comments

Comments
 (0)