Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit 30662e4e2bb7 · 2025-07-01T18:51:31.000+02:00
* PHP-8.4: Fix GH-18979: DOM\XMLDocument::createComment() triggers undefined behavior with null byte
diff --git a/ext/dom/tests/modern/xml/gh18979.phpt b/ext/dom/tests/modern/xml/gh18979.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-18979 (DOM\XMLDocument::createComment() triggers undefined behavior with null byte)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$dom = Dom\XMLDocument::createEmpty();
+$container = $dom->createElement("container");
+$container->append($dom->createComment("\0"));
+var_dump($container->innerHTML);
+?>
+--EXPECT--
+string(7) "<!---->"
diff --git a/ext/dom/xml_serializer.c b/ext/dom/xml_serializer.c
@@ -640,7 +640,11 @@ static int dom_xml_serialize_comment_node(xmlOutputBufferPtr out, xmlNodePtr com
 		const xmlChar *ptr = comment->content;
 		if (ptr != NULL) {
 			TRY(dom_xml_check_char_production(ptr));
-			if (strstr((const char *) ptr, "--") != NULL || ptr[strlen((const char *) ptr) - 1] == '-') {
+			if (strstr((const char *) ptr, "--") != NULL) {
+				return -1;
+			}
+			size_t len = strlen((const char *) ptr);
+			if (len > 0 && ptr[len - 1] == '-') {
 				return -1;
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -640,7 +640,11 @@ static int dom_xml_serialize_comment_node(xmlOutputBufferPtr out, xmlNodePtr com`
`640`	`640`	`const xmlChar *ptr = comment->content;`
`641`	`641`	`if (ptr != NULL) {`
`642`	`642`	`TRY(dom_xml_check_char_production(ptr));`
`643`		`- if (strstr((const char ) ptr, "--") != NULL \|\| ptr[strlen((const char ) ptr) - 1] == '-') {`
	`643`	`+ if (strstr((const char *) ptr, "--") != NULL) {`
	`644`	`+ return -1;`
	`645`	`+ }`
	`646`	`+ size_t len = strlen((const char *) ptr);`
	`647`	`+ if (len > 0 && ptr[len - 1] == '-') {`
`644`	`648`	`return -1;`
`645`	`649`	`}`
`646`	`650`	`}`