Skip to content

Commit e4a28b7

Browse files
author
Rob Richards
committed
Merge branch 'PHP-5.3' into PHP-5.4
# By Rob Richards (1) * PHP-5.3: truncate results at depth of 255 to prevent corruption
2 parents c652cc9 + 7d163e8 commit e4a28b7

File tree

1 file changed

+50
-40
lines changed

1 file changed

+50
-40
lines changed

ext/xml/xml.c

Lines changed: 50 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -428,7 +428,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
428428
}
429429
if (parser->ltags) {
430430
int inx;
431-
for (inx = 0; inx < parser->level; inx++)
431+
for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)
432432
efree(parser->ltags[ inx ]);
433433
efree(parser->ltags);
434434
}
@@ -805,45 +805,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch
805805
}
806806

807807
if (parser->data) {
808-
zval *tag, *atr;
809-
int atcnt = 0;
808+
if (parser->level <= XML_MAXLEVEL) {
809+
zval *tag, *atr;
810+
int atcnt = 0;
810811

811-
MAKE_STD_ZVAL(tag);
812-
MAKE_STD_ZVAL(atr);
812+
MAKE_STD_ZVAL(tag);
813+
MAKE_STD_ZVAL(atr);
813814

814-
array_init(tag);
815-
array_init(atr);
815+
array_init(tag);
816+
array_init(atr);
816817

817-
_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
818+
_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
818819

819-
add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
820-
add_assoc_string(tag,"type","open",1);
821-
add_assoc_long(tag,"level",parser->level);
820+
add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
821+
add_assoc_string(tag,"type","open",1);
822+
add_assoc_long(tag,"level",parser->level);
822823

823-
parser->ltags[parser->level-1] = estrdup(tag_name);
824-
parser->lastwasopen = 1;
824+
parser->ltags[parser->level-1] = estrdup(tag_name);
825+
parser->lastwasopen = 1;
825826

826-
attributes = (const XML_Char **) attrs;
827+
attributes = (const XML_Char **) attrs;
827828

828-
while (attributes && *attributes) {
829-
att = _xml_decode_tag(parser, attributes[0]);
830-
val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
831-
832-
add_assoc_stringl(atr,att,val,val_len,0);
829+
while (attributes && *attributes) {
830+
att = _xml_decode_tag(parser, attributes[0]);
831+
val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
833832

834-
atcnt++;
835-
attributes += 2;
833+
add_assoc_stringl(atr,att,val,val_len,0);
836834

837-
efree(att);
838-
}
835+
atcnt++;
836+
attributes += 2;
839837

840-
if (atcnt) {
841-
zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
842-
} else {
843-
zval_ptr_dtor(&atr);
844-
}
838+
efree(att);
839+
}
840+
841+
if (atcnt) {
842+
zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
843+
} else {
844+
zval_ptr_dtor(&atr);
845+
}
845846

846-
zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
847+
zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
848+
} else if (parser->level == (XML_MAXLEVEL + 1)) {
849+
TSRMLS_FETCH();
850+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
851+
}
847852
}
848853

849854
efree(tag_name);
@@ -895,7 +900,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name)
895900

896901
efree(tag_name);
897902

898-
if (parser->ltags) {
903+
if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {
899904
efree(parser->ltags[parser->level-1]);
900905
}
901906

@@ -979,18 +984,23 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
979984
}
980985
}
981986

982-
MAKE_STD_ZVAL(tag);
983-
984-
array_init(tag);
985-
986-
_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
987+
if (parser->level <= XML_MAXLEVEL) {
988+
MAKE_STD_ZVAL(tag);
989+
990+
array_init(tag);
987991

988-
add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
989-
add_assoc_string(tag,"value",decoded_value,0);
990-
add_assoc_string(tag,"type","cdata",1);
991-
add_assoc_long(tag,"level",parser->level);
992+
_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
992993

993-
zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
994+
add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
995+
add_assoc_string(tag,"value",decoded_value,0);
996+
add_assoc_string(tag,"type","cdata",1);
997+
add_assoc_long(tag,"level",parser->level);
998+
999+
zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
1000+
} else if (parser->level == (XML_MAXLEVEL + 1)) {
1001+
TSRMLS_FETCH();
1002+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
1003+
}
9941004
}
9951005
} else {
9961006
efree(decoded_value);

0 commit comments

Comments
 (0)