Merge branch 'PHP-8.3'

nielsdos · nielsdos · commit 61b7370b6d78 · 2023-12-17T11:52:48.000+01:00
* PHP-8.3: Fix GH-12929: SimpleXMLElement with stream_wrapper_register can segfault Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash Fix GH-12962: Double free of init_file in phpdbg_prompt.c
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -415,8 +415,6 @@ static zval *sxe_prop_dim_write(zend_object *object, zval *member, zval *value,
 
 	GET_NODE(sxe, node);
 
-	php_libxml_invalidate_node_list_cache_from_doc(node->doc);
-
 	if (sxe->iter.type == SXE_ITER_ATTRLIST) {
 		attribs = 1;
 		elements = 0;
@@ -477,6 +475,8 @@ static zval *sxe_prop_dim_write(zend_object *object, zval *member, zval *value,
 	}
 
 	if (node) {
+		php_libxml_invalidate_node_list_cache_from_doc(node->doc);
+
 		if (attribs) {
 			if (Z_TYPE_P(member) == IS_LONG) {
 				while (attr && nodendx <= Z_LVAL_P(member)) {
@@ -619,6 +619,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
 
 	sxe = php_sxe_fetch_object(object);
 	GET_NODE(sxe, node);
+	if (UNEXPECTED(!node)) {
+		return &EG(error_zval);
+	}
 	name = ZSTR_VAL(zname);
 	node = sxe_get_element_by_name(sxe, node, name, &type);
 	if (node) {
@@ -788,8 +791,6 @@ static void sxe_prop_dim_delete(zend_object *object, zval *member, bool elements
 
 	GET_NODE(sxe, node);
 
-	php_libxml_invalidate_node_list_cache_from_doc(node->doc);
-
 	if (Z_TYPE_P(member) == IS_LONG) {
 		if (sxe->iter.type != SXE_ITER_ATTRLIST) {
 			attribs = 0;
@@ -813,6 +814,8 @@ static void sxe_prop_dim_delete(zend_object *object, zval *member, bool elements
 	}
 
 	if (node) {
+		php_libxml_invalidate_node_list_cache_from_doc(node->doc);
+
 		if (attribs) {
 			if (Z_TYPE_P(member) == IS_LONG) {
 				int	nodendx = 0;
@@ -1639,8 +1642,6 @@ PHP_METHOD(SimpleXMLElement, addChild)
 	sxe = Z_SXEOBJ_P(ZEND_THIS);
 	GET_NODE(sxe, node);
 
-	php_libxml_invalidate_node_list_cache_from_doc(node->doc);
-
 	if (sxe->iter.type == SXE_ITER_ATTRLIST) {
 		php_error_docref(NULL, E_WARNING, "Cannot add element to attributes");
 		return;
@@ -1653,6 +1654,8 @@ PHP_METHOD(SimpleXMLElement, addChild)
 		return;
 	}
 
+	php_libxml_invalidate_node_list_cache_from_doc(node->doc);
+
 	localname = xmlSplitQName2((xmlChar *)qname, &prefix);
 	if (localname == NULL) {
 		localname = xmlStrdup((xmlChar *)qname);
diff --git a/ext/simplexml/tests/get_prop_address_not_initialized.phpt b/ext/simplexml/tests/get_prop_address_not_initialized.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Getting the address of an uninitialized property of a SimpleXMLElement
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+
+$rc = new ReflectionClass('SimpleXMLElement');
+$sxe = $rc->newInstanceWithoutConstructor();
+$sxe->a['b'] = 'b';
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: SimpleXMLElement is not properly initialized in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/ext/simplexml/tests/gh12929.phpt b/ext/simplexml/tests/gh12929.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-12929 (SimpleXMLElement with stream_wrapper_register can segfault)
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$scheme = "foo1";
+stream_wrapper_register($scheme, "SimpleXMLIterator");
+try {
+    file_get_contents($scheme . "://x");
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+    echo $e->getPrevious()->getMessage(), "\n";
+}
+
+$scheme = "foo2";
+stream_wrapper_register($scheme, "SimpleXMLElement");
+try {
+    file_get_contents($scheme . "://x");
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+    echo $e->getPrevious()->getMessage(), "\n";
+}
+?>
+--EXPECT--
+It's not possible to assign a complex type to properties, resource given
+SimpleXMLElement is not properly initialized
+It's not possible to assign a complex type to properties, resource given
+SimpleXMLElement is not properly initialized
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
@@ -363,7 +363,7 @@ void phpdbg_init(char *init_file, size_t init_file_len, bool use_default) /* {{{
 			}
 
 			ZEND_IGNORE_VALUE(asprintf(&init_file, "%s/%s", scan_dir, PHPDBG_INIT_FILENAME));
-			phpdbg_try_file_init(init_file, strlen(init_file), 1);
+			phpdbg_try_file_init(init_file, strlen(init_file), 0);
 			free(init_file);
 			if (i == -1) {
 				break;
diff --git a/sapi/phpdbg/tests/gh12962.phpt b/sapi/phpdbg/tests/gh12962.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-12962 (Double free of init_file in phpdbg_prompt.c)
+--SKIPIF--
+<?php
+if (!getenv('TEST_PHPDBG_EXECUTABLE')) die("SKIP: No TEST_PHPDBG_EXECUTABLE specified");
+?>
+--FILE--
+<?php
+putenv('PHP_INI_SCAN_DIR='.__DIR__."/gh12962");
+passthru($_ENV['TEST_PHPDBG_EXECUTABLE'] . " -q");
+?>
+--EXPECT--
+Executed .phpdbginit
diff --git a/sapi/phpdbg/tests/gh12962/.phpdbginit b/sapi/phpdbg/tests/gh12962/.phpdbginit
@@ -0,0 +1,2 @@
+ev "Executed .phpdbginit"
+q

Original file line number	Diff line number	Diff line change
`@@ -363,7 +363,7 @@ void phpdbg_init(char init_file, size_t init_file_len, bool use_default) / {{{`
`363`	`363`	`}`
`364`	`364`
`365`	`365`	`ZEND_IGNORE_VALUE(asprintf(&init_file, "%s/%s", scan_dir, PHPDBG_INIT_FILENAME));`
`366`		`- phpdbg_try_file_init(init_file, strlen(init_file), 1);`
	`366`	`+ phpdbg_try_file_init(init_file, strlen(init_file), 0);`
`367`	`367`	`free(init_file);`
`368`	`368`	`if (i == -1) {`
`369`	`369`	`break;`