tony2001 Tue, 07 Feb 2012 20:49:10 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=323118
Log: fix bug #54682 (tidy null pointer dereference) Bug: https://bugs.php.net/54682 (Re-Opened) tidy NullPD Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/tidy/tests/bug54682.phpt U php/php-src/branches/PHP_5_3/ext/tidy/tidy.c U php/php-src/branches/PHP_5_4/ext/tidy/tidy.c U php/php-src/trunk/ext/tidy/tidy.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2012-02-07 20:32:39 UTC (rev 323117) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-07 20:49:10 UTC (rev 323118) @@ -5,6 +5,9 @@ . Fixed bug #60860 (session.save_handler=user without defined function core dumps). (Felipe) +- Tidy: + . Fixed bug #54682 (tidy null pointer dereference). (Tony, David Soria Parra) + - Core: . Fixed bug #60227 (header() cannot detect the multi-line header with CR). (rui, Gustavo) Modified: php/php-src/branches/PHP_5_3/ext/tidy/tests/bug54682.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/tidy/tests/bug54682.phpt 2012-02-07 20:32:39 UTC (rev 323117) +++ php/php-src/branches/PHP_5_3/ext/tidy/tests/bug54682.phpt 2012-02-07 20:49:10 UTC (rev 323118) @@ -10,4 +10,4 @@ ?> --EXPECTF-- -Warning: tidy::__construct(): Cannot Load '*' into memory in %s on line %d +Warning: tidy::__construct(): Cannot Load '*' into memory in %s on line %d Modified: php/php-src/branches/PHP_5_3/ext/tidy/tidy.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/tidy/tidy.c 2012-02-07 20:32:39 UTC (rev 323117) +++ php/php-src/branches/PHP_5_3/ext/tidy/tidy.c 2012-02-07 20:49:10 UTC (rev 323118) @@ -190,6 +190,7 @@ TidyDoc doc; TidyBuffer *errbuf; unsigned int ref_count; + unsigned int initialized:1; }; struct _PHPTidyObj { @@ -701,6 +702,7 @@ intern->ptdoc = emalloc(sizeof(PHPTidyDoc)); intern->ptdoc->doc = tidyCreate(); intern->ptdoc->ref_count = 1; + intern->ptdoc->initialized = 0; intern->ptdoc->errbuf = emalloc(sizeof(TidyBuffer)); tidyBufInit(intern->ptdoc->errbuf); @@ -1040,7 +1042,9 @@ return FAILURE; } } - + + obj->ptdoc->initialized = 1; + tidyBufInit(&buf); tidyBufAppend(&buf, string, len); if (tidyParseBuffer(obj->ptdoc->doc, &buf) < 0) { @@ -1288,7 +1292,7 @@ { TIDY_FETCH_OBJECT; - if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { + if (obj->ptdoc->initialized && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { tidy_doc_update_properties(obj TSRMLS_CC); RETURN_TRUE; } Modified: php/php-src/branches/PHP_5_4/ext/tidy/tidy.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/tidy/tidy.c 2012-02-07 20:32:39 UTC (rev 323117) +++ php/php-src/branches/PHP_5_4/ext/tidy/tidy.c 2012-02-07 20:49:10 UTC (rev 323118) @@ -191,6 +191,7 @@ TidyDoc doc; TidyBuffer *errbuf; unsigned int ref_count; + unsigned int initialized:1; }; struct _PHPTidyObj { @@ -688,6 +689,7 @@ intern->ptdoc = emalloc(sizeof(PHPTidyDoc)); intern->ptdoc->doc = tidyCreate(); intern->ptdoc->ref_count = 1; + intern->ptdoc->initialized = 0; intern->ptdoc->errbuf = emalloc(sizeof(TidyBuffer)); tidyBufInit(intern->ptdoc->errbuf); @@ -1047,7 +1049,9 @@ return FAILURE; } } - + + obj->ptdoc->initialized = 1; + tidyBufInit(&buf); tidyBufAttach(&buf, (byte *) string, len); if (tidyParseBuffer(obj->ptdoc->doc, &buf) < 0) { @@ -1336,7 +1340,7 @@ { TIDY_FETCH_OBJECT; - if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { + if (obj->ptdoc->initialized && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { tidy_doc_update_properties(obj TSRMLS_CC); RETURN_TRUE; } Modified: php/php-src/trunk/ext/tidy/tidy.c =================================================================== --- php/php-src/trunk/ext/tidy/tidy.c 2012-02-07 20:32:39 UTC (rev 323117) +++ php/php-src/trunk/ext/tidy/tidy.c 2012-02-07 20:49:10 UTC (rev 323118) @@ -191,6 +191,7 @@ TidyDoc doc; TidyBuffer *errbuf; unsigned int ref_count; + unsigned int initialized:1; }; struct _PHPTidyObj { @@ -688,6 +689,7 @@ intern->ptdoc = emalloc(sizeof(PHPTidyDoc)); intern->ptdoc->doc = tidyCreate(); intern->ptdoc->ref_count = 1; + intern->ptdoc->initialized = 0; intern->ptdoc->errbuf = emalloc(sizeof(TidyBuffer)); tidyBufInit(intern->ptdoc->errbuf); @@ -1047,7 +1049,9 @@ return FAILURE; } } - + + obj->ptdoc->initialized = 1; + tidyBufInit(&buf); tidyBufAttach(&buf, (byte *) string, len); if (tidyParseBuffer(obj->ptdoc->doc, &buf) < 0) { @@ -1336,7 +1340,7 @@ { TIDY_FETCH_OBJECT; - if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { + if (obj->ptdoc->initialized && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) { tidy_doc_update_properties(obj TSRMLS_CC); RETURN_TRUE; }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
