Fix segfault in SimpleXML when using entities

Summary: Fix segfault while looking at security issue, any XML file parsed by SimpleXML resulted in a segfault if an Entity was provided. Test Plan: fast_tests No segfault with: <?php $test = '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <search><user>&xxe;</user></search>'; $x = new SimpleXMLElement($test); var_dump($x); Reviewers: mwilliams Reviewed By: mwilliams CC: ps, mwilliams Differential Revision: 346984 Revert Plan: Ok
linfeng321 · Nov 1, 2011 · 60f222a · 60f222a
1 parent 8285f45
commit 60f222a
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/src/runtime/ext/ext_simplexml.cpp b/src/runtime/ext/ext_simplexml.cpp
@@ -79,10 +79,12 @@ static String node_list_to_string(xmlDocPtr doc, xmlNodePtr list) {
 static Array collect_attributes(xmlNodePtr node, CStrRef ns, bool is_prefix) {
   ASSERT(node);
   Array attributes = Array::Create();
-  for (xmlAttrPtr attr = node->properties; attr; attr = attr->next) {
-    if (match_ns((xmlNodePtr)attr, ns, is_prefix)) {
-      String n = String((char*)attr->name, xmlStrlen(attr->name), CopyString);
-      attributes.set(n, node_list_to_string(node->doc, attr->children));
+  if (node->type != XML_ENTITY_DECL) {
+    for (xmlAttrPtr attr = node->properties; attr; attr = attr->next) {
+      if (match_ns((xmlNodePtr)attr, ns, is_prefix)) {
+        String n = String((char*)attr->name, xmlStrlen(attr->name), CopyString);
+        attributes.set(n, node_list_to_string(node->doc, attr->children));
+      }
     }
   }
   return attributes;