Commit 52c7c74

committed

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-16906: Reloading document can cause UAF in iterator

2 parents 9ee6078 + 9d39ff7 commit 52c7c74Copy full SHA for 52c7c74

File tree

+28

-0

lines changed

+28

-0

lines changed

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,10 @@ PHP NEWS`
`2`	`2`	`\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|`
`3`	`3`	`?? ??? ????, PHP 8.4.2`
`4`	`4`
	`5`	`+- DOM:`
	`6`	`+ . Fixed bug GH-16906 (Reloading document can cause UAF in iterator).`
	`7`	`+ (nielsdos)`
	`8`	`+`
`5`	`9`	`- Opcache:`
`6`	`10`	`. Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).`
`7`	`11`	`(dktapps)`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1469,6 +1469,10 @@ void dom_namednode_iter(dom_object basenode, int ntype, dom_object intern, xml`
`1469`	`1469`	`mapptr->baseobj = basenode;`
`1470`	`1470`	`mapptr->nodetype = ntype;`
`1471`	`1471`	`mapptr->ht = ht;`
	`1472`	`+ if (EXPECTED(doc != NULL)) {`
	`1473`	`+ mapptr->dict = doc->dict;`
	`1474`	`+ xmlDictReference(doc->dict);`
	`1475`	`+ }`
`1472`	`1476`
`1473`	`1477`	`const xmlChar* tmp;`
`1474`	`1478`
`@@ -1582,6 +1586,7 @@ void dom_nnodemap_objects_free_storage(zend_object object) / {{{ */`
`1582`	`1586`	`if (!Z_ISUNDEF(objmap->baseobj_zv)) {`
`1583`	`1587`	`zval_ptr_dtor(&objmap->baseobj_zv);`
`1584`	`1588`	`}`
	`1589`	`+ xmlDictFree(objmap->dict);`
`1585`	`1590`	`efree(objmap);`
`1586`	`1591`	`intern->ptr = NULL;`
`1587`	`1592`	`}`
`@@ -1613,6 +1618,7 @@ zend_object dom_nnodemap_objects_new(zend_class_entry class_type)`
`1613`	`1618`	`objmap->cached_length = -1;`
`1614`	`1619`	`objmap->cached_obj = NULL;`
`1615`	`1620`	`objmap->cached_obj_index = 0;`
	`1621`	`+ objmap->dict = NULL;`
`1616`	`1622`
`1617`	`1623`	`return &intern->std;`
`1618`	`1624`	`}`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@ typedef struct dom_nnodemap_object {`
`88`	`88`	`php_libxml_cache_tag cache_tag;`
`89`	`89`	`dom_object *cached_obj;`
`90`	`90`	`zend_long cached_obj_index;`
	`91`	`+ xmlDictPtr dict;`
`91`	`92`	`bool free_local : 1;`
`92`	`93`	`bool free_ns : 1;`
`93`	`94`	`} dom_nnodemap_object;`

Lines changed: 17 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,17 @@`
	`1`	`+--TEST--`
	`2`	`+GH-16906 (Reloading document can cause UAF in iterator)`
	`3`	`+--EXTENSIONS--`
	`4`	`+dom`
	`5`	`+--FILE--`
	`6`	`+<?php`
	`7`	`+$doc = new DOMDocument;`
	`8`	`+$doc->loadXML('<?xml version="1.0"?><span><strong id="1"/><strong id="2"/></span>');`
	`9`	`+$list = $doc->getElementsByTagName('strong');`
	`10`	`+$doc->load(__DIR__."/book.xml");`
	`11`	`+var_dump($list);`
	`12`	`+?>`
	`13`	`+--EXPECT--`
	`14`	`+object(DOMNodeList)#2 (1) {`
	`15`	`+ ["length"]=>`
	`16`	`+ int(0)`
	`17`	`+}`

Comments

(0)