We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
2 parents cd977ae + 52c7c74 commit f576b81Copy full SHA for f576b81
ext/dom/php_dom.c
@@ -1465,6 +1465,10 @@ void dom_namednode_iter(dom_object *basenode, int ntype, dom_object *intern, xml
1465
mapptr->baseobj = basenode;
1466
mapptr->nodetype = ntype;
1467
mapptr->ht = ht;
1468
+ if (EXPECTED(doc != NULL)) {
1469
+ mapptr->dict = doc->dict;
1470
+ xmlDictReference(doc->dict);
1471
+ }
1472
1473
const xmlChar* tmp;
1474
@@ -1578,6 +1582,7 @@ void dom_nnodemap_objects_free_storage(zend_object *object) /* {{{ */
1578
1582
if (!Z_ISUNDEF(objmap->baseobj_zv)) {
1579
1583
zval_ptr_dtor(&objmap->baseobj_zv);
1580
1584
}
1585
+ xmlDictFree(objmap->dict);
1581
1586
efree(objmap);
1587
intern->ptr = NULL;
1588
@@ -1609,6 +1614,7 @@ zend_object *dom_nnodemap_objects_new(zend_class_entry *class_type)
1609
1614
objmap->cached_length = -1;
1610
1615
objmap->cached_obj = NULL;
1611
1616
objmap->cached_obj_index = 0;
1617
+ objmap->dict = NULL;
1612
1618
1613
1619
return &intern->std;
1620
ext/dom/php_dom.h
@@ -88,6 +88,7 @@ typedef struct dom_nnodemap_object {
88
php_libxml_cache_tag cache_tag;
89
dom_object *cached_obj;
90
zend_long cached_obj_index;
91
+ xmlDictPtr dict;
92
bool free_local : 1;
93
bool free_ns : 1;
94
} dom_nnodemap_object;
ext/dom/tests/gh16906.phpt
@@ -0,0 +1,17 @@
1
+--TEST--
2
+GH-16906 (Reloading document can cause UAF in iterator)
3
+--EXTENSIONS--
4
+dom
5
+--FILE--
6
+<?php
7
+$doc = new DOMDocument;
8
+$doc->loadXML('<?xml version="1.0"?><span><strong id="1"/><strong id="2"/></span>');
9
+$list = $doc->getElementsByTagName('strong');
10
+$doc->load(__DIR__."/book.xml");
11
+var_dump($list);
12
+?>
13
+--EXPECT--
14
+object(DOMNodeList)#2 (1) {
15
+ ["length"]=>
16
+ int(0)
17
+}
AltStyle によって変換されたページ (->オリジナル) / アドレス: モード: デフォルト 音声ブラウザ ルビ付き 配色反転 文字拡大 モバイル
0 commit comments