diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-01-29 18:23:51 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-01-30 13:04:57 +0100 |
commit | 8226e704e4e6066a5bd41b57b2934a3371896be2 (patch) | |
tree | 86fca74729179e8ebda16c108b1068f19579aaea | |
parent | 494615fcb8c1fb5984e0e7d666e51a2dfc6bee55 (diff) | |
download | php-git-8226e704e4e6066a5bd41b57b2934a3371896be2.tar.gz |
Fix #70078: XSL callbacks with nodes as parameter leak memory
The fix for bug #49634 solved a double-free by copying the node with
`xmlDocCopyNodeList()`, but the copied node is later freed by calling
`xmlFreeNode()` instead of `xmlFreeNodeList()`, thus leaking memory.
However, there is no need to treat the node as node list, i.e. to copy
also the node's siblings; just creating a recursive copy of the node
with `xmlDocCopyNode()` is sufficient, while that also avoids the leak.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/xsl/tests/bug70078.phpt | 51 | ||||
-rw-r--r-- | ext/xsl/xsltprocessor.c | 2 |
3 files changed, 55 insertions, 1 deletions
@@ -36,6 +36,9 @@ PHP NEWS - Standard: . Fixed bug #78902 (Memory leak when using stream_filter_append). (liudaixiao) +- XSL: + . Fixed bug #70078 (XSL callbacks with nodes as parameter leak memory). (cmb) + 23 Jan 2020, PHP 7.3.14 - Core diff --git a/ext/xsl/tests/bug70078.phpt b/ext/xsl/tests/bug70078.phpt new file mode 100644 index 0000000000..41e9485a0f --- /dev/null +++ b/ext/xsl/tests/bug70078.phpt @@ -0,0 +1,51 @@ +--TEST-- +Bug #70078 (XSL callbacks with nodes as parameter leak memory) +--SKIPIF-- +<?php +if (!extension_loaded('xsl')) die('skip xsl extension not available'); +?> +--FILE-- +<?php +// create big dummy document: +$dom = new \DOMDocument(); +$rootNode = $dom->appendChild($dom->createElement('root')); +for ($i = 0; $i <= 100; $i++) { + $level1Node = $rootNode->appendChild($dom->createElement('level1')); + for ($j = 0; $j <= 100; $j++) { + $level2Node = $level1Node->appendChild($dom->createElement('level2')); + for ($k = 0; $k <= 10; $k++) { + $level3Node = $level2Node->appendChild($dom->createElement('level3', 'test')); + } + } +} + +function testPhpFunction($node) { + return 'test2'; +} + +$xslStr = <<<EOF +<?xml version="1.0" encoding="utf-8"?> +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"> + <xsl:template match="root"> + <output> + <xsl:for-each select="level1"> + <node> + <xsl:value-of select="php:function('testPhpFunction', .)" /> + </node> + </xsl:for-each> + </output> + </xsl:template> +</xsl:stylesheet> +EOF; + +$xsl = new \DOMDocument(); +$xsl->loadXML($xslStr); +$xslt = new \XSLTProcessor(); +$xslt->registerPHPFunctions('testPhpFunction'); +$xslt->importStyleSheet($xsl); + +echo $xslt->transformToXML($dom); +?> +--EXPECT-- +<?xml version="1.0"?> +<output xmlns:php="http://php.net/xsl"><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node><node>test2</node></output> diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c index accee6c9ac..182aab68d6 100644 --- a/ext/xsl/xsltprocessor.c +++ b/ext/xsl/xsltprocessor.c @@ -274,7 +274,7 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t node->parent = nsparent; node->ns = curns; } else { - node = xmlDocCopyNodeList(domintern->document->ptr, node); + node = xmlDocCopyNode(node, domintern->document->ptr, 1); } php_dom_create_object(node, &child, domintern); |