Fix GH-14124: Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit (#14126)

nielsdos · nielsdos · commit 427c24416887 · 2024-05-04T14:05:24.000+02:00
The ltags were not initialized, so when an OOM happens before the new value is written, uninitialized data is used.
diff --git a/NEWS b/NEWS
@@ -13,6 +13,10 @@ PHP                                                                        NEWS
   . Fix crash when calling childNodes next() when iterator is exhausted.
     (nielsdos)
 
+- XML:
+  . Fixed bug GH-14124 (Segmentation fault with XML extension under certain
+    memory limit). (nielsdos)
+
 09 May 2024, PHP 8.2.19
 
 - Core:
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
@@ -1292,6 +1292,7 @@ PHP_FUNCTION(xml_parse_into_struct)
 	parser->level = 0;
 	xml_parser_free_ltags(parser);
 	parser->ltags = safe_emalloc(XML_MAXLEVEL, sizeof(char *), 0);
+	memset(parser->ltags, 0, XML_MAXLEVEL * sizeof(char *));
 
 	XML_SetElementHandler(parser->parser, _xml_startElementHandler, _xml_endElementHandler);
 	XML_SetCharacterDataHandler(parser->parser, _xml_characterDataHandler);
