Fix #80852: Stack-overflow when json_encode()'ing SimpleXMLElement

We ignore `XML_ENTITY_DECL` nodes when getting the hash of the properties of a `SimpleXMLElement`.
php · Apr 27, 2021 · 9f7e8b7 · 9f7e8b7
1 parent 729cd8b
commit 9f7e8b7
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -1192,7 +1192,7 @@ static HashTable *sxe_get_prop_hash(zval *object, int is_debug) /* {{{ */
 				}
 			}
 
-			if (node->type == XML_ELEMENT_NODE && (! match_ns(sxe, node, sxe->iter.nsprefix, sxe->iter.isprefix))) {
+			if (node->type == XML_ELEMENT_NODE && (! match_ns(sxe, node, sxe->iter.nsprefix, sxe->iter.isprefix)) || node->type == XML_ENTITY_DECL) {
 				goto next_iter;
 			}
 
@@ -1889,7 +1889,7 @@ static int sxe_object_cast_ex(zval *readobj, zval *writeobj, int type)
 
 		if (sxe->node && sxe->node->node) {
 			if (sxe->node->node->children) {
-				contents = xmlNodeListGetString((xmlDocPtr) sxe->document->ptr, sxe->node->node->children, 1);
+				contents = xmlNodeListGetRawString((xmlDocPtr) sxe->document->ptr, sxe->node->node->children, 1);
 			}
 		}
 	}

diff --git a/ext/simplexml/tests/bug80852.phpt b/ext/simplexml/tests/bug80852.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #80852 (Stack-overflow when json_encode()'ing SimpleXMLElement)
+--SKIPIF--
+<?php
+if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+if (!extension_loaded('json')) die('skip json extension not available');
+?>
+--FILE--
+<?php
+$xml = '<!DOCTYPE foo [<!ENTITY xee1 "aaa"> <!ENTITY xee2 "&xee1;&xee1;"> ]><a>b&xee2;</a>';
+$sxe = simplexml_load_string($xml);
+var_dump(json_encode($sxe));
+var_dump($sxe);
+?>
+--EXPECT--
+string(11) "{"xee2":{}}"
+object(SimpleXMLElement)#1 (1) {
+  ["xee2"]=>
+  object(SimpleXMLElement)#3 (0) {
+  }
+}