Fix #70078: XSL callbacks with nodes as parameter leak memory

The fix for bug #49634 solved a double-free by copying the node with `xmlDocCopyNodeList()`, but the copied node is later freed by calling `xmlFreeNode()` instead of `xmlFreeNodeList()`, thus leaking memory. However, there is no need to treat the node as node list, i.e. to copy also the node's siblings; just creating a recursive copy of the node with `xmlDocCopyNode()` is sufficient, while that also avoids the leak.
author: Christoph M. Becker <cmbecker69@gmx.de> 2020-01-29 18:23:51 +0100
committer: Christoph M. Becker <cmbecker69@gmx.de> 2020-01-30 13:04:57 +0100
commit: 8226e704e4e6066a5bd41b57b2934a3371896be2 (patch)
tree: 86fca74729179e8ebda16c108b1068f19579aaea
parent: 494615fcb8c1fb5984e0e7d666e51a2dfc6bee55 (diff)
download: php-git-8226e704e4e6066a5bd41b57b2934a3371896be2.tar.gz
3 files changed, 55 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index fc8aac0601..b5ac3d6878 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,9 @@ PHP                                                                        NEWS
 - Standard:
   . Fixed bug #78902 (Memory leak when using stream_filter_append). (liudaixiao)
 
+- XSL:
+  . Fixed bug #70078 (XSL callbacks with nodes as parameter leak memory). (cmb)
+
 23 Jan 2020, PHP 7.3.14
 
 - Core
diff --git a/ext/xsl/tests/bug70078.phpt b/ext/xsl/tests/bug70078.phpt
new file mode 100644
index 0000000000..41e9485a0f
--- /dev/null
+++ b/ext/xsl/tests/bug70078.phpt
@@ -0,0 +1,51 @@
+--TEST--
+Bug #70078 (XSL callbacks with nodes as parameter leak memory)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die('skip xsl extension not available');
+?>
+--FILE--
+<?php
+// create big dummy document:
+$dom = new \DOMDocument();
+$rootNode = $dom->appendChild($dom->createElement('root'));
+for ($i = 0; $i <= 100; $i++) {
+    $level1Node = $rootNode->appendChild($dom->createElement('level1'));
+    for ($j = 0; $j <= 100; $j++) {
+        $level2Node = $level1Node->appendChild($dom->createElement('level2'));
+        for ($k = 0; $k <= 10; $k++) {
+            $level3Node = $level2Node->appendChild($dom->createElement('level3', 'test'));
+        }
+    }
+}
+
+function testPhpFunction($node) {
+    return 'test2';
+}
+
+$xslStr = <<<EOF
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+    <xsl:template match="root">
+        <output>
+            <xsl:for-each select="level1">
+                <node>
+                    <xsl:value-of select="php:function('testPhpFunction', .)" />
+                </node>
+            </xsl:for-each>
+        </output>
+    </xsl:template>
+</xsl:stylesheet>
+EOF;
+
+$xsl = new \DOMDocument();
+$xsl->loadXML($xslStr);
+$xslt = new \XSLTProcessor();
+$xslt->registerPHPFunctions('testPhpFunction');
+$xslt->importStyleSheet($xsl);
+
+echo $xslt->transformToXML($dom);
+?>
+--EXPECT--
+<?xml version="1.0"?>
+<output xmlns:php="http://php.net/xsl"><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node></output>
diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index accee6c9ac..182aab68d6 100644
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -274,7 +274,7 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
 								node->parent = nsparent;
 								node->ns = curns;
 							} else {
-								node = xmlDocCopyNodeList(domintern->document->ptr, node);
+								node = xmlDocCopyNode(node, domintern->document->ptr, 1);
 							}
 
 							php_dom_create_object(node, &child, domintern);
author	Christoph M. Becker <cmbecker69@gmx.de>	2020-01-29 18:23:51 +0100
committer	Christoph M. Becker <cmbecker69@gmx.de>	2020-01-30 13:04:57 +0100
commit	8226e704e4e6066a5bd41b57b2934a3371896be2 (patch)
tree	86fca74729179e8ebda16c108b1068f19579aaea
parent	494615fcb8c1fb5984e0e7d666e51a2dfc6bee55 (diff)
download	php-git-8226e704e4e6066a5bd41b57b2934a3371896be2.tar.gz