Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit efaae93e4886 · 2025-05-20T21:32:27.000+02:00
* PHP-8.4: Fix GH-18597: Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes
diff --git a/ext/dom/inner_outer_html_mixin.c b/ext/dom/inner_outer_html_mixin.c
@@ -95,7 +95,7 @@ static zend_string *dom_element_html_fragment_serialize(dom_object *obj, xmlNode
 				status |= xmlOutputBufferFlush(out);
 				status |= xmlOutputBufferClose(out);
 			}
-			(void) xmlSaveClose(ctxt);
+			status |= xmlSaveClose(ctxt);
 			xmlCharEncCloseFunc(handler);
 		}
 		if (UNEXPECTED(status < 0)) {
diff --git a/ext/dom/xml_document.c b/ext/dom/xml_document.c
@@ -282,7 +282,7 @@ static zend_string *php_new_dom_dump_node_to_str_ex(xmlNodePtr node, int options
 		} else {
 			xmlCharEncCloseFunc(handler);
 		}
-		(void) xmlSaveClose(ctxt);
+		status |= xmlSaveClose(ctxt);
 	}
 
 	if (UNEXPECTED(status < 0)) {
@@ -319,7 +319,7 @@ zend_long php_new_dom_dump_node_to_file(const char *filename, xmlDocPtr doc, xml
 	if (EXPECTED(ctxt != NULL)) {
 		status = dom_xml_serialize(ctxt, out, node, format, false, get_private_data_from_node(node));
 		status |= xmlOutputBufferFlush(out);
-		(void) xmlSaveClose(ctxt);
+		status |= xmlSaveClose(ctxt);
 	}
 
 	size_t offset = php_stream_tell(stream);
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
@@ -1505,7 +1505,7 @@ static zend_string *php_libxml_default_dump_doc_to_str(xmlDocPtr doc, int option
 	}
 
 	long status = xmlSaveDoc(ctxt, doc);
-	(void) xmlSaveClose(ctxt);
+	status |= xmlSaveClose(ctxt);
 	if (status < 0) {
 		smart_str_free_ex(&str, false);
 		return NULL;
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -1403,7 +1403,8 @@ PHP_METHOD(SimpleXMLElement, asXML)
 	if (!result) {
 		RETURN_FALSE;
 	} else {
-		RETURN_NEW_STR(result);
+		/* Defense-in-depth: don't use the NEW variant in case somehow an empty string gets returned */
+		RETURN_STR(result);
 	}
 }
 /* }}} */
diff --git a/ext/simplexml/tests/gh18597.phpt b/ext/simplexml/tests/gh18597.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes)
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$sx1 = new SimpleXMLElement("<root />");
+$sx1->node[0] = 'node1';
+$node = $sx1->node[0];
+
+$node[0] = '��c';
+
+$sx1->asXML(); // Depends on the available system encodings whether this fails or not, point is, it should not crash
+echo "Done\n";
+?>
+--EXPECT--
+Done

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ static zend_string dom_element_html_fragment_serialize(dom_object obj, xmlNode`
`95`	`95`	`status \|= xmlOutputBufferFlush(out);`
`96`	`96`	`status \|= xmlOutputBufferClose(out);`
`97`	`97`	`}`
`98`		`- (void) xmlSaveClose(ctxt);`
	`98`	`+ status \|= xmlSaveClose(ctxt);`
`99`	`99`	`xmlCharEncCloseFunc(handler);`
`100`	`100`	`}`
`101`	`101`	`if (UNEXPECTED(status < 0)) {`
Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,7 @@ static zend_string *php_new_dom_dump_node_to_str_ex(xmlNodePtr node, int options`
`282`	`282`	`} else {`
`283`	`283`	`xmlCharEncCloseFunc(handler);`
`284`	`284`	`}`
`285`		`- (void) xmlSaveClose(ctxt);`
	`285`	`+ status \|= xmlSaveClose(ctxt);`
`286`	`286`	`}`
`287`	`287`
`288`	`288`	`if (UNEXPECTED(status < 0)) {`
`@@ -319,7 +319,7 @@ zend_long php_new_dom_dump_node_to_file(const char *filename, xmlDocPtr doc, xml`
`319`	`319`	`if (EXPECTED(ctxt != NULL)) {`
`320`	`320`	`status = dom_xml_serialize(ctxt, out, node, format, false, get_private_data_from_node(node));`
`321`	`321`	`status \|= xmlOutputBufferFlush(out);`
`322`		`- (void) xmlSaveClose(ctxt);`
	`322`	`+ status \|= xmlSaveClose(ctxt);`
`323`	`323`	`}`
`324`	`324`
`325`	`325`	`size_t offset = php_stream_tell(stream);`
Original file line number	Diff line number	Diff line change
`@@ -1505,7 +1505,7 @@ static zend_string *php_libxml_default_dump_doc_to_str(xmlDocPtr doc, int option`
`1505`	`1505`	`}`
`1506`	`1506`
`1507`	`1507`	`long status = xmlSaveDoc(ctxt, doc);`
`1508`		`- (void) xmlSaveClose(ctxt);`
	`1508`	`+ status \|= xmlSaveClose(ctxt);`
`1509`	`1509`	`if (status < 0) {`
`1510`	`1510`	`smart_str_free_ex(&str, false);`
`1511`	`1511`	`return NULL;`
Original file line number	Diff line number	Diff line change
`@@ -1403,7 +1403,8 @@ PHP_METHOD(SimpleXMLElement, asXML)`
`1403`	`1403`	`if (!result) {`
`1404`	`1404`	`RETURN_FALSE;`
`1405`	`1405`	`} else {`
`1406`		`- RETURN_NEW_STR(result);`
	`1406`	`+ /* Defense-in-depth: don't use the NEW variant in case somehow an empty string gets returned */`
	`1407`	`+ RETURN_STR(result);`
`1407`	`1408`	`}`
`1408`	`1409`	`}`
`1409`	`1410`	`/* }}} */`