diff --git a/NEWS b/NEWS index 7f08765f436..4cda13adfe4 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,7 @@ PHP NEWS (nielsdos) . Fix crash when toggleAttribute() is used without a document. (nielsdos) . Fix crash in adoptNode with attribute references. (nielsdos) + . Fix crashes with entity references and predefined entities. (nielsdos) - FFI: . Fixed bug GH-9698 (stream_wrapper_register crashes with FFI\CData). diff --git a/ext/dom/tests/DOMEntityReference_predefined_free.phpt b/ext/dom/tests/DOMEntityReference_predefined_free.phpt new file mode 100644 index 00000000000..4b971d83703 --- /dev/null +++ b/ext/dom/tests/DOMEntityReference_predefined_free.phpt @@ -0,0 +1,46 @@ +--TEST-- +Freeing of a predefined DOMEntityReference +--EXTENSIONS-- +dom +--FILE-- + +--EXPECT-- +object(DOMEntityReference)#1 (17) { + ["nodeName"]=> + string(3) "amp" + ["nodeValue"]=> + NULL + ["nodeType"]=> + int(5) + ["parentNode"]=> + NULL + ["parentElement"]=> + NULL + ["childNodes"]=> + string(22) "(object value omitted)" + ["firstChild"]=> + string(22) "(object value omitted)" + ["lastChild"]=> + string(22) "(object value omitted)" + ["previousSibling"]=> + NULL + ["nextSibling"]=> + NULL + ["attributes"]=> + NULL + ["isConnected"]=> + bool(false) + ["namespaceURI"]=> + NULL + ["prefix"]=> + string(0) "" + ["localName"]=> + NULL + ["baseURI"]=> + NULL + ["textContent"]=> + string(0) "" +} diff --git a/ext/dom/tests/delayed_freeing/entity_declaration.phpt b/ext/dom/tests/delayed_freeing/entity_declaration.phpt index 3e082611c35..5caf29eedad 100644 --- a/ext/dom/tests/delayed_freeing/entity_declaration.phpt +++ b/ext/dom/tests/delayed_freeing/entity_declaration.phpt @@ -9,16 +9,32 @@ $doc->loadXML(<<<'XML' + ]> XML); -$entity = $doc->doctype->entities[0]; -var_dump($entity->nodeName, $entity->parentNode->nodeName); +$ref1 = $doc->createEntityReference("test"); +$ref2 = $doc->createEntityReference("myimage"); +$entity1 = $doc->doctype->entities[0]; +$entity2 = $doc->doctype->entities[1]; + +// Entity order depends on addresses +if ($entity1->nodeName !== "test") { + [$entity1, $entity2] = [$entity2, $entity1]; +} + +var_dump($entity1->nodeName, $entity1->parentNode->nodeName); +var_dump($entity2->nodeName, $entity2->parentNode->nodeName); $doc->removeChild($doc->doctype); -var_dump($entity->nodeName, $entity->parentNode); +var_dump($entity1->nodeName, $entity1->parentNode); +var_dump($entity2->nodeName, $entity2->parentNode); ?> --EXPECT-- string(4) "test" string(5) "books" +string(7) "myimage" +string(5) "books" string(4) "test" NULL +string(7) "myimage" +NULL diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c index 526aa296aad..2eef24d2fff 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c @@ -206,12 +206,10 @@ static void php_libxml_node_free(xmlNodePtr node) * dtd is attached to the document. This works around the issue by inspecting the parent directly. */ case XML_ENTITY_DECL: { xmlEntityPtr entity = (xmlEntityPtr) node; - php_libxml_unlink_entity_decl(entity); - if (entity->orig != NULL) { - xmlFree((char *) entity->orig); - entity->orig = NULL; + if (entity->etype != XML_INTERNAL_PREDEFINED_ENTITY) { + php_libxml_unlink_entity_decl(entity); + xmlFreeEntity(entity); } - xmlFreeNode(node); break; } case XML_NOTATION_NODE: { @@ -1385,6 +1383,15 @@ PHP_LIBXML_API void php_libxml_node_free_resource(xmlNodePtr node) case XML_DOCUMENT_NODE: case XML_HTML_DOCUMENT_NODE: break; + case XML_ENTITY_REF_NODE: + /* Entity reference nodes are special: their children point to entity declarations, + * but they don't own the declarations and therefore shouldn't free the children. + * Moreover, there can be N>1 reference nodes for a single entity declarations. */ + php_libxml_unregister_node(node); + if (node->parent == NULL) { + php_libxml_node_free(node); + } + break; default: if (node->parent == NULL || node->type == XML_NAMESPACE_DECL) { php_libxml_node_free_list((xmlNodePtr) node->children);