fixes

ndossche · ndossche · commit a46a42225168 · 2024-12-17T22:45:17.000+01:00
diff --git a/ext/xml/tests/gh17187_2.phpt b/ext/xml/tests/gh17187_2.phpt
@@ -16,8 +16,8 @@ class ImmutableParser {
         xml_set_element_handler($this->parser, function ($parser, $name, $attrs) {
             echo "open\n";
             var_dump($name, $attrs);
-            $this->immutableData1 = 0xdeadbeef;
-            $this->immutableData2 = 0xbeefdead;
+            $this->immutableData1 = 0xdead;
+            $this->immutableData2 = 0xbeef;
         }, function ($parser, $name) {
             echo "close\n";
             var_dump($name);
@@ -49,5 +49,5 @@ close
 string(5) "CHILD"
 close
 string(9) "CONTAINER"
-int(3735928559)
-int(3203391149)
+int(57005)
+int(48879)
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
@@ -103,7 +103,7 @@ typedef struct {
 	int level;
 	int toffset;
 	int curtag;
-	uint32_t ctag_index;
+	zend_long ctag_index;
 	char **ltags;
 	int lastwasopen;
 	int skipwhite;
@@ -602,11 +602,11 @@ static zval *xml_get_ctag(xml_parser *parser)
 	zval *data = xml_get_separated_data(parser);
 	if (EXPECTED(data)) {
 		zval *zv = zend_hash_index_find(Z_ARRVAL_P(data), parser->ctag_index);
-		if (!zv) {
+		if (UNEXPECTED(!zv)) {
 			return NULL;
 		}
 		ZVAL_DEREF(zv);
-		if (Z_TYPE_P(zv) != IS_ARRAY) {
+		if (UNEXPECTED(Z_TYPE_P(zv) != IS_ARRAY)) {
 			return NULL;
 		}
 		SEPARATE_ARRAY(zv);
@@ -697,9 +697,11 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch
 			zval *data = xml_get_separated_data(parser);
 			if (EXPECTED(data)) {
 				/* Note: due to array resizes or user interference,
-				 * we have to store an index instaed of a zval into the array's memory. */
-				parser->ctag_index = Z_ARRVAL_P(data)->nNextFreeElement;
-				zend_hash_next_index_insert(Z_ARRVAL_P(data), &tag);
+				 * we have to store an index instead of a zval into the array's memory. */
+				if (!zend_hash_next_index_insert(Z_ARRVAL_P(data), &tag)) {
+					zval_ptr_dtor(&tag);
+				}
+				parser->ctag_index = Z_ARRVAL_P(data)->nNextFreeElement - 1;
 			} else {
 				zval_ptr_dtor(&tag);
 			}
@@ -817,12 +819,13 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 	if (parser->lastwasopen) {
 		zval *ctag = xml_get_ctag(parser);
 		if (UNEXPECTED(!ctag)) {
+			zend_string_release_ex(decoded_value, false);
 			return;
 		}
 
 		zval *myval;
 		/* check if the current tag already has a value - if yes append to that! */
-		if ((myval = zend_hash_find(Z_ARRVAL_P(ctag), ZSTR_KNOWN(ZEND_STR_VALUE)))) {
+		if ((myval = zend_hash_find(Z_ARRVAL_P(ctag), ZSTR_KNOWN(ZEND_STR_VALUE))) && Z_TYPE_P(myval) == IS_STRING) {
 			size_t newlen = Z_STRLEN_P(myval) + ZSTR_LEN(decoded_value);
 			Z_STR_P(myval) = zend_string_extend(Z_STR_P(myval), newlen, 0);
 			strncpy(Z_STRVAL_P(myval) + Z_STRLEN_P(myval) - ZSTR_LEN(decoded_value),
@@ -841,6 +844,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 
 		zval *data = xml_get_separated_data(parser);
 		if (UNEXPECTED(!data)) {
+			zend_string_release_ex(decoded_value, false);
 			return;
 		}
 
