Backported for 5.4 from 5.5.35 by Remi Collet

From dccda88f27a084bcbbb30198ace12b4e7ae961cc Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 24 Apr 2016 23:50:57 -0700
Subject: [PATCH] Fix bug #72099: xml_parse_into_struct segmentation fault

---
 ext/xml/tests/bug72099.phpt |  17 +++++++
 ext/xml/xml.c               | 106 ++++++++++++++++++++++----------------------
 2 files changed, 70 insertions(+), 53 deletions(-)
 create mode 100644 ext/xml/tests/bug72099.phpt

diff --git a/ext/xml/tests/bug72099.phpt b/ext/xml/tests/bug72099.phpt
new file mode 100644
index 0000000..50173a6
--- /dev/null
+++ b/ext/xml/tests/bug72099.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72099: xml_parse_into_struct segmentation fault
+--SKIPIF--
+<?php
+require_once("skipif.inc");
+?>
+--FILE--
+<?php
+$var1=xml_parser_create_ns();
+$var2=str_repeat("a", 10);
+$var3=[];
+$var4=[];
+xml_parse_into_struct($var1, $var2, $var3, $var4);
+var_dump($var3);
+--EXPECT--
+array(0) {
+}
\ No newline at end of file
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index 84d4253..5277588 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -283,7 +283,7 @@ xml_encoding xml_encodings[] = {
 static XML_Memory_Handling_Suite php_xml_mem_hdlrs;
 
 /* True globals, no need for thread safety */
-static int le_xml_parser; 
+static int le_xml_parser;
 
 /* }}} */
 
@@ -343,7 +343,7 @@ PHP_MINIT_FUNCTION(xml)
 	REGISTER_LONG_CONSTANT("XML_OPTION_SKIP_WHITE", PHP_XML_OPTION_SKIP_WHITE, CONST_CS|CONST_PERSISTENT);
 
 	/* this object should not be pre-initialised at compile time,
-	   as the order of members may vary */  
+	   as the order of members may vary */
 
 	php_xml_mem_hdlrs.malloc_fcn = php_xml_malloc_wrapper;
 	php_xml_mem_hdlrs.realloc_fcn = php_xml_realloc_wrapper;
@@ -404,7 +404,7 @@ static zval *_xml_xmlchar_zval(const XML_Char *s, int len, const XML_Char *encod
 {
 	zval *ret;
 	MAKE_STD_ZVAL(ret);
-	
+
 	if (s == NULL) {
 		ZVAL_FALSE(ret);
 		return ret;
@@ -422,7 +422,7 @@ static zval *_xml_xmlchar_zval(const XML_Char *s, int len, const XML_Char *encod
 static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
 {
 	xml_parser *parser = (xml_parser *)rsrc->ptr;
-	
+
 	if (parser->parser) {
 		XML_ParserFree(parser->parser);
 	}
@@ -503,7 +503,7 @@ static void xml_set_handler(zval **handler, zval **data)
 /* {{{ xml_call_handler() */
 static zval *xml_call_handler(xml_parser *parser, zval *handler, zend_function *function_ptr, int argc, zval **argv)
 {
-	int i;	
+	int i;
 	TSRMLS_FETCH();
 
 	if (parser && handler && !EG(exception)) {
@@ -516,7 +516,7 @@ static zval *xml_call_handler(xml_parser *parser, zval *handler, zend_function *
 		for (i = 0; i < argc; i++) {
 			args[i] = &argv[i];
 		}
-		
+
 		fci.size = sizeof(fci);
 		fci.function_table = EG(function_table);
 		fci.function_name = handler;
@@ -540,7 +540,7 @@ static zval *xml_call_handler(xml_parser *parser, zval *handler, zend_function *
 					   Z_TYPE_PP(obj) == IS_OBJECT &&
 					   Z_TYPE_PP(method) == IS_STRING) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call handler %s::%s()", Z_OBJCE_PP(obj)->name, Z_STRVAL_PP(method));
-			} else 
+			} else
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call handler");
 		}
 
@@ -739,14 +739,14 @@ static void _xml_add_to_info(xml_parser *parser,char *name)
 
 	if (zend_hash_find(Z_ARRVAL_P(parser->info),name,strlen(name) + 1,(void **) &element) == FAILURE) {
 		MAKE_STD_ZVAL(values);
-		
+
 		array_init(values);
-		
+
 		zend_hash_update(Z_ARRVAL_P(parser->info), name, strlen(name)+1, (void *) &values, sizeof(zval*), (void **) &element);
-	} 
-			
+	}
+
 	add_next_index_long(*element,parser->curtag);
-	
+
 	parser->curtag++;
 }
 /* }}} */
@@ -798,11 +798,11 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch
 
 				efree(att);
 			}
-			
+
 			if ((retval = xml_call_handler(parser, parser->startElementHandler, parser->startElementPtr, 3, args))) {
 				zval_ptr_dtor(&retval);
 			}
-		} 
+		}
 
 		if (parser->data) {
 			if (parser->level <= XML_MAXLEVEL)  {
@@ -874,7 +874,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name)
 			if ((retval = xml_call_handler(parser, parser->endElementHandler, parser->endElementPtr, 2, args))) {
 				zval_ptr_dtor(&retval);
 			}
-		} 
+		}
 
 		if (parser->data) {
 			zval *tag;
@@ -885,13 +885,13 @@ void _xml_endElementHandler(void *userData, const XML_Char *name)
 				MAKE_STD_ZVAL(tag);
 
 				array_init(tag);
-				  
+
 				_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
 
 				add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
 				add_assoc_string(tag,"type","close",1);
 				add_assoc_long(tag,"level",parser->level);
-				  
+
 				zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
 			}
 
@@ -923,7 +923,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 			if ((retval = xml_call_handler(parser, parser->characterDataHandler, parser->characterDataPtr, 2, args))) {
 				zval_ptr_dtor(&retval);
 			}
-		} 
+		}
 
 		if (parser->data) {
 			int i;
@@ -931,7 +931,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 
 			char *decoded_value;
 			int decoded_len;
-			
+
 			decoded_value = xml_utf8_decode(s,len,&decoded_len,parser->target_encoding);
 			for (i = 0; i < decoded_len; i++) {
 				switch (decoded_value[i]) {
@@ -950,7 +950,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 			if (doprint || (! parser->skipwhite)) {
 				if (parser->lastwasopen) {
 					zval **myval;
-					
+
 					/* check if the current tag already has a value - if yes append to that! */
 					if (zend_hash_find(Z_ARRVAL_PP(parser->ctag),"value",sizeof("value"),(void **) &myval) == SUCCESS) {
 						int newlen = Z_STRLEN_PP(myval) + decoded_len;
@@ -961,7 +961,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 					} else {
 						add_assoc_string(*(parser->ctag),"value",decoded_value,0);
 					}
-					
+
 				} else {
 					zval *tag;
 					zval **curtag, **mytype, **myval;
@@ -984,7 +984,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 						}
 					}
 
-					if (parser->level <= XML_MAXLEVEL) {
+					if (parser->level <= XML_MAXLEVEL && parser->level > 0) {
 						MAKE_STD_ZVAL(tag);
 
 						array_init(tag);
@@ -1046,8 +1046,8 @@ void _xml_defaultHandler(void *userData, const XML_Char *s, int len)
 /* }}} */
 
 /* {{{ _xml_unparsedEntityDeclHandler() */
-void _xml_unparsedEntityDeclHandler(void *userData, 
-										 const XML_Char *entityName, 
+void _xml_unparsedEntityDeclHandler(void *userData,
+										 const XML_Char *entityName,
 										 const XML_Char *base,
 										 const XML_Char *systemId,
 										 const XML_Char *publicId,
@@ -1172,9 +1172,9 @@ static void php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAMETERS, int ns_supp
 
 	char *ns_param = NULL;
 	int ns_param_len = 0;
-	
+
 	XML_Char *encoding;
-	
+
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, (ns_support ? "|ss": "|s"), &encoding_param, &encoding_param_len, &ns_param, &ns_param_len) == FAILURE) {
 		RETURN_FALSE;
 	}
@@ -1220,15 +1220,15 @@ static void php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAMETERS, int ns_supp
 }
 /* }}} */
 
-/* {{{ proto resource xml_parser_create([string encoding]) 
+/* {{{ proto resource xml_parser_create([string encoding])
    Create an XML parser */
 PHP_FUNCTION(xml_parser_create)
 {
-	php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0);	
+	php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0);
 }
 /* }}} */
 
-/* {{{ proto resource xml_parser_create_ns([string encoding [, string sep]]) 
+/* {{{ proto resource xml_parser_create_ns([string encoding [, string sep]])
    Create an XML parser */
 PHP_FUNCTION(xml_parser_create_ns)
 {
@@ -1236,7 +1236,7 @@ PHP_FUNCTION(xml_parser_create_ns)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_object(resource parser, object &obj) 
+/* {{{ proto int xml_set_object(resource parser, object &obj)
    Set up object which should be used for callbacks */
 PHP_FUNCTION(xml_set_object)
 {
@@ -1256,7 +1256,7 @@ PHP_FUNCTION(xml_set_object)
 
 	/* please leave this commented - or ask thies@thieso.net before doing it (again) */
 /* #ifdef ZEND_ENGINE_2
-	zval_add_ref(&parser->object); 
+	zval_add_ref(&parser->object);
 #endif */
 
 	ALLOC_ZVAL(parser->object);
@@ -1266,7 +1266,7 @@ PHP_FUNCTION(xml_set_object)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_element_handler(resource parser, string shdl, string ehdl) 
+/* {{{ proto int xml_set_element_handler(resource parser, string shdl, string ehdl)
    Set up start and end element handlers */
 PHP_FUNCTION(xml_set_element_handler)
 {
@@ -1286,7 +1286,7 @@ PHP_FUNCTION(xml_set_element_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_character_data_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_character_data_handler(resource parser, string hdl)
    Set up character data handler */
 PHP_FUNCTION(xml_set_character_data_handler)
 {
@@ -1305,7 +1305,7 @@ PHP_FUNCTION(xml_set_character_data_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_processing_instruction_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_processing_instruction_handler(resource parser, string hdl)
    Set up processing instruction (PI) handler */
 PHP_FUNCTION(xml_set_processing_instruction_handler)
 {
@@ -1324,7 +1324,7 @@ PHP_FUNCTION(xml_set_processing_instruction_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_default_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_default_handler(resource parser, string hdl)
    Set up default handler */
 PHP_FUNCTION(xml_set_default_handler)
 {
@@ -1342,7 +1342,7 @@ PHP_FUNCTION(xml_set_default_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_unparsed_entity_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_unparsed_entity_decl_handler(resource parser, string hdl)
    Set up unparsed entity declaration handler */
 PHP_FUNCTION(xml_set_unparsed_entity_decl_handler)
 {
@@ -1361,7 +1361,7 @@ PHP_FUNCTION(xml_set_unparsed_entity_decl_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_notation_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_notation_decl_handler(resource parser, string hdl)
    Set up notation declaration handler */
 PHP_FUNCTION(xml_set_notation_decl_handler)
 {
@@ -1379,7 +1379,7 @@ PHP_FUNCTION(xml_set_notation_decl_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_external_entity_ref_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_external_entity_ref_handler(resource parser, string hdl)
    Set up external entity reference handler */
 PHP_FUNCTION(xml_set_external_entity_ref_handler)
 {
@@ -1397,7 +1397,7 @@ PHP_FUNCTION(xml_set_external_entity_ref_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_start_namespace_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_start_namespace_decl_handler(resource parser, string hdl)
    Set up character data handler */
 PHP_FUNCTION(xml_set_start_namespace_decl_handler)
 {
@@ -1416,7 +1416,7 @@ PHP_FUNCTION(xml_set_start_namespace_decl_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_end_namespace_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_end_namespace_decl_handler(resource parser, string hdl)
    Set up character data handler */
 PHP_FUNCTION(xml_set_end_namespace_decl_handler)
 {
@@ -1435,7 +1435,7 @@ PHP_FUNCTION(xml_set_end_namespace_decl_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_parse(resource parser, string data [, int isFinal]) 
+/* {{{ proto int xml_parse(resource parser, string data [, int isFinal])
    Start parsing an XML document */
 PHP_FUNCTION(xml_parse)
 {
@@ -1471,8 +1471,8 @@ PHP_FUNCTION(xml_parse_into_struct)
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rsZ|Z", &pind, &data, &data_len, &xdata, &info) == FAILURE) {
 		return;
 	}
-	
-	if (info) {	
+
+	if (info) {
 		zval_dtor(*info);
 		array_init(*info);
 	}
@@ -1483,11 +1483,11 @@ PHP_FUNCTION(xml_parse_into_struct)
 	array_init(*xdata);
 
 	parser->data = *xdata;
-	
+
 	if (info) {
 		parser->info = *info;
 	}
-	
+
 	parser->level = 0;
 	parser->ltags = safe_emalloc(XML_MAXLEVEL, sizeof(char *), 0);
 
@@ -1503,7 +1503,7 @@ PHP_FUNCTION(xml_parse_into_struct)
 }
 /* }}} */
 
-/* {{{ proto int xml_get_error_code(resource parser) 
+/* {{{ proto int xml_get_error_code(resource parser)
    Get XML parser error code */
 PHP_FUNCTION(xml_get_error_code)
 {
@@ -1537,7 +1537,7 @@ PHP_FUNCTION(xml_error_string)
 }
 /* }}} */
 
-/* {{{ proto int xml_get_current_line_number(resource parser) 
+/* {{{ proto int xml_get_current_line_number(resource parser)
    Get current line number for an XML parser */
 PHP_FUNCTION(xml_get_current_line_number)
 {
@@ -1569,7 +1569,7 @@ PHP_FUNCTION(xml_get_current_column_number)
 }
 /* }}} */
 
-/* {{{ proto int xml_get_current_byte_index(resource parser) 
+/* {{{ proto int xml_get_current_byte_index(resource parser)
    Get current byte index for an XML parser */
 PHP_FUNCTION(xml_get_current_byte_index)
 {
@@ -1585,7 +1585,7 @@ PHP_FUNCTION(xml_get_current_byte_index)
 }
 /* }}} */
 
-/* {{{ proto int xml_parser_free(resource parser) 
+/* {{{ proto int xml_parser_free(resource parser)
    Free an XML parser */
 PHP_FUNCTION(xml_parser_free)
 {
@@ -1611,7 +1611,7 @@ PHP_FUNCTION(xml_parser_free)
 }
 /* }}} */
 
-/* {{{ proto int xml_parser_set_option(resource parser, int option, mixed value) 
+/* {{{ proto int xml_parser_set_option(resource parser, int option, mixed value)
    Set options in an XML parser */
 PHP_FUNCTION(xml_parser_set_option)
 {
@@ -1657,7 +1657,7 @@ PHP_FUNCTION(xml_parser_set_option)
 }
 /* }}} */
 
-/* {{{ proto int xml_parser_get_option(resource parser, int option) 
+/* {{{ proto int xml_parser_get_option(resource parser, int option)
    Get options from an XML parser */
 PHP_FUNCTION(xml_parser_get_option)
 {
@@ -1687,7 +1687,7 @@ PHP_FUNCTION(xml_parser_get_option)
 }
 /* }}} */
 
-/* {{{ proto string utf8_encode(string data) 
+/* {{{ proto string utf8_encode(string data)
    Encodes an ISO-8859-1 string to UTF-8 */
 PHP_FUNCTION(utf8_encode)
 {
@@ -1707,7 +1707,7 @@ PHP_FUNCTION(utf8_encode)
 }
 /* }}} */
 
-/* {{{ proto string utf8_decode(string data) 
+/* {{{ proto string utf8_decode(string data)
    Converts a UTF-8 encoded string to ISO-8859-1 */
 PHP_FUNCTION(utf8_decode)
 {