Commit 1d5089e5740 for php.net
commit 1d5089e5740b6831485b17bddf482f4d91894305
Author: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon Jun 30 18:48:27 2025 +0200
Fix GH-18979: DOM\XMLDocument::createComment() triggers undefined behavior with null byte
Closes GH-18983.
diff --git a/NEWS b/NEWS
index 1af91056238..6bc566be390 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,10 @@ PHP NEWS
. Fix memory leaks when returning refcounted value from curl callback.
(nielsdos)
+- DOM:
+ . Fixed bug GH-18979 (Dom\XMLDocument::createComment() triggers undefined
+ behavior with null byte). (nielsdos)
+
- LDAP:
. Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty
request OID. (David Carlier)
diff --git a/ext/dom/tests/modern/xml/gh18979.phpt b/ext/dom/tests/modern/xml/gh18979.phpt
new file mode 100644
index 00000000000..3a90bd58377
--- /dev/null
+++ b/ext/dom/tests/modern/xml/gh18979.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-18979 (DOM\XMLDocument::createComment() triggers undefined behavior with null byte)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$dom = Dom\XMLDocument::createEmpty();
+$container = $dom->createElement("container");
+$container->append($dom->createComment("\0"));
+var_dump($container->innerHTML);
+?>
+--EXPECT--
+string(7) "<!---->"
diff --git a/ext/dom/xml_serializer.c b/ext/dom/xml_serializer.c
index debbb41fdad..a4b46082b0e 100644
--- a/ext/dom/xml_serializer.c
+++ b/ext/dom/xml_serializer.c
@@ -640,7 +640,11 @@ static int dom_xml_serialize_comment_node(xmlOutputBufferPtr out, xmlNodePtr com
const xmlChar *ptr = comment->content;
if (ptr != NULL) {
TRY(dom_xml_check_char_production(ptr));
- if (strstr((const char *) ptr, "--") != NULL || ptr[strlen((const char *) ptr) - 1] == '-') {
+ if (strstr((const char *) ptr, "--") != NULL) {
+ return -1;
+ }
+ size_t len = strlen((const char *) ptr);
+ if (len > 0 && ptr[len - 1] == '-') {
return -1;
}
}