Throw instead of silently failing when creating a too long text node

nielsdos · nielsdos · commit 0ff6c54eebb6 · 2024-07-20T19:12:56.000+02:00
Lower branches suffer from this as well but we cannot change the
behaviour there.
We also add NULL checks to check for allocation failure.
diff --git a/ext/dom/parentnode/tree.c b/ext/dom/parentnode/tree.c
@@ -98,6 +98,11 @@ zend_result dom_parent_node_child_element_count(dom_object *obj, zval *retval)
 }
 /* }}} */
 
+static ZEND_COLD void dom_cannot_create_temp_nodes(void)
+{
+	php_dom_throw_error_with_message(INVALID_MODIFICATION_ERR, "Unable to allocate temporary nodes", /* strict */ true);
+}
+
 static bool dom_is_node_in_list(const zval *nodes, uint32_t nodesc, const xmlNode *node_to_find)
 {
 	for (uint32_t i = 0; i < nodesc; i++) {
@@ -363,12 +368,17 @@ xmlNode* dom_zvals_to_single_node(php_libxml_ref_obj *document, xmlNode *context
 			return dom_object_get_node(Z_DOMOBJ_P(nodes));
 		} else {
 			ZEND_ASSERT(Z_TYPE_P(nodes) == IS_STRING);
-			return xmlNewDocTextLen(documentNode, BAD_CAST Z_STRVAL_P(nodes), Z_STRLEN_P(nodes));
+			node = xmlNewDocTextLen(documentNode, BAD_CAST Z_STRVAL_P(nodes), Z_STRLEN_P(nodes));
+			if (UNEXPECTED(node == NULL)) {
+				dom_cannot_create_temp_nodes();
+			}
+			return node;
 		}
 	}
 
 	node = xmlNewDocFragment(documentNode);
 	if (UNEXPECTED(!node)) {
+		dom_cannot_create_temp_nodes();
 		return NULL;
 	}
 
@@ -408,6 +418,10 @@ xmlNode* dom_zvals_to_single_node(php_libxml_ref_obj *document, xmlNode *context
 
 			/* Text nodes can't violate the hierarchy at this point. */
 			newNode = xmlNewDocTextLen(documentNode, BAD_CAST Z_STRVAL(nodes[i]), Z_STRLEN(nodes[i]));
+			if (UNEXPECTED(newNode == NULL)) {
+				dom_cannot_create_temp_nodes();
+				goto err;
+			}
 			dom_add_child_without_merging(node, newNode);
 		}
 	}
@@ -434,7 +448,12 @@ static zend_result dom_sanity_check_node_list_types(zval *nodes, uint32_t nodesc
 				zend_argument_type_error(i + 1, "must be of type %s|string, %s given", ZSTR_VAL(node_ce->name), zend_zval_type_name(&nodes[i]));
 				return FAILURE;
 			}
-		} else if (type != IS_STRING) {
+		} else if (type == IS_STRING) {
+			if (Z_STRLEN(nodes[i]) > INT_MAX) {
+				zend_argument_value_error(i + 1, "must be less than or equal to %d bytes long", INT_MAX);
+				return FAILURE;
+			}
+		} else {
 			zend_argument_type_error(i + 1, "must be of type %s|string, %s given", ZSTR_VAL(node_ce->name), zend_zval_type_name(&nodes[i]));
 			return FAILURE;
 		}
diff --git a/ext/dom/tests/parentnode_childnode_too_long_text.phpt b/ext/dom/tests/parentnode_childnode_too_long_text.phpt
@@ -0,0 +1,80 @@
+--TEST--
+Passing a too long string to ChildNode or ParentNode methods causes an exception
+--EXTENSIONS--
+dom
+--INI--
+memory_limit=-1
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE !== 8) die('skip Only for 64-bit');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+// Copied from file_get_contents_file_put_contents_5gb.phpt
+function get_system_memory(): int|float|false
+{
+    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
+        // Windows-based memory check
+        @exec('wmic OS get FreePhysicalMemory', $output);
+        if (isset($output[1])) {
+            return ((int)trim($output[1])) * 1024;
+        }
+    } else {
+        // Unix/Linux-based memory check
+        $memInfo = @file_get_contents("/proc/meminfo");
+        if ($memInfo) {
+            preg_match('/MemFree:\s+(\d+) kB/', $memInfo, $matches);
+            return $matches[1] * 1024; // Convert to bytes
+        }
+    }
+    return false;
+}
+if (get_system_memory() < 4 * 1024 * 1024 * 1024) {
+    die('skip Reason: Insufficient RAM (less than 4GB)');
+}
+?>
+--FILE--
+<?php
+$dom = new DOMDocument;
+$element = $dom->appendChild($dom->createElement('root'));
+$str = str_repeat('X', 2**31 + 10);
+try {
+    $element->append('x', $str);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    $element->prepend('x', $str);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    $element->after('x', $str);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    $element->before('x', $str);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    $element->replaceWith('x', $str);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    $element->replaceChildren('x', $str);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($dom->childNodes->count());
+var_dump($element->childNodes->count());
+?>
+--EXPECT--
+DOMElement::append(): Argument #2 must be less than or equal to 2147483647 bytes long
+DOMElement::prepend(): Argument #2 must be less than or equal to 2147483647 bytes long
+DOMElement::after(): Argument #2 must be less than or equal to 2147483647 bytes long
+DOMElement::before(): Argument #2 must be less than or equal to 2147483647 bytes long
+DOMElement::replaceWith(): Argument #2 must be less than or equal to 2147483647 bytes long
+DOMElement::replaceChildren(): Argument #2 must be less than or equal to 2147483647 bytes long
+int(1)
+int(0)

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,11 @@ zend_result dom_parent_node_child_element_count(dom_object obj, zval retval)`
`98`	`98`	`}`
`99`	`99`	`/* }}} */`
`100`	`100`
	`101`	`+static ZEND_COLD void dom_cannot_create_temp_nodes(void)`
	`102`	`+{`
	`103`	`+ php_dom_throw_error_with_message(INVALID_MODIFICATION_ERR, "Unable to allocate temporary nodes", /* strict */ true);`
	`104`	`+}`
	`105`	`+`
`101`	`106`	`static bool dom_is_node_in_list(const zval nodes, uint32_t nodesc, const xmlNode node_to_find)`
`102`	`107`	`{`
`103`	`108`	`for (uint32_t i = 0; i < nodesc; i++) {`
`@@ -363,12 +368,17 @@ xmlNode* dom_zvals_to_single_node(php_libxml_ref_obj document, xmlNode context`
`363`	`368`	`return dom_object_get_node(Z_DOMOBJ_P(nodes));`
`364`	`369`	`} else {`
`365`	`370`	`ZEND_ASSERT(Z_TYPE_P(nodes) == IS_STRING);`
`366`		`- return xmlNewDocTextLen(documentNode, BAD_CAST Z_STRVAL_P(nodes), Z_STRLEN_P(nodes));`
	`371`	`+ node = xmlNewDocTextLen(documentNode, BAD_CAST Z_STRVAL_P(nodes), Z_STRLEN_P(nodes));`
	`372`	`+ if (UNEXPECTED(node == NULL)) {`
	`373`	`+ dom_cannot_create_temp_nodes();`
	`374`	`+ }`
	`375`	`+ return node;`
`367`	`376`	`}`
`368`	`377`	`}`
`369`	`378`
`370`	`379`	`node = xmlNewDocFragment(documentNode);`
`371`	`380`	`if (UNEXPECTED(!node)) {`
	`381`	`+ dom_cannot_create_temp_nodes();`
`372`	`382`	`return NULL;`
`373`	`383`	`}`
`374`	`384`
`@@ -408,6 +418,10 @@ xmlNode* dom_zvals_to_single_node(php_libxml_ref_obj document, xmlNode context`
`408`	`418`
`409`	`419`	`/* Text nodes can't violate the hierarchy at this point. */`
`410`	`420`	`newNode = xmlNewDocTextLen(documentNode, BAD_CAST Z_STRVAL(nodes[i]), Z_STRLEN(nodes[i]));`
	`421`	`+ if (UNEXPECTED(newNode == NULL)) {`
	`422`	`+ dom_cannot_create_temp_nodes();`
	`423`	`+ goto err;`
	`424`	`+ }`
`411`	`425`	`dom_add_child_without_merging(node, newNode);`
`412`	`426`	`}`
`413`	`427`	`}`
`@@ -434,7 +448,12 @@ static zend_result dom_sanity_check_node_list_types(zval *nodes, uint32_t nodesc`
`434`	`448`	`zend_argument_type_error(i + 1, "must be of type %s\|string, %s given", ZSTR_VAL(node_ce->name), zend_zval_type_name(&nodes[i]));`
`435`	`449`	`return FAILURE;`
`436`	`450`	`}`
`437`		`- } else if (type != IS_STRING) {`
	`451`	`+ } else if (type == IS_STRING) {`
	`452`	`+ if (Z_STRLEN(nodes[i]) > INT_MAX) {`
	`453`	`+ zend_argument_value_error(i + 1, "must be less than or equal to %d bytes long", INT_MAX);`
	`454`	`+ return FAILURE;`
	`455`	`+ }`
	`456`	`+ } else {`
`438`	`457`	`zend_argument_type_error(i + 1, "must be of type %s\|string, %s given", ZSTR_VAL(node_ce->name), zend_zval_type_name(&nodes[i]));`
`439`	`458`	`return FAILURE;`
`440`	`459`	`}`