Fix #71592: External entity processing never fails

If the callback set via `xml_set_external_entity_ref_handler()` returns
a falsy value, parsing is supposed to stop and the error number set to
`XML_ERROR_EXTERNAL_ENTITY_HANDLING`.  This is already correctly done
by the libexpat binding, but the libxml2 binding ignores the return
value.  We fix this by calling `xmlStopParser()` which is available as
of libxml 2.1.0[1] (PHP-7.1 requires at least libxml 2.6.11 anyway),
and setting the desired `errNo` ourselves.

[1] <http://xmlsoft.org/news.html>

Author: cmb69

NEWS

@@ -9,6 +9,9 @@ PHP                                                                        NEWS
   . Fixed bug #50675 (SoapClient can't handle object references correctly).
     (Cameron Porter)
 
+- XML:
+  . Fixed bug 71592 (External entity processing never fails). (cmb)
+
 25 Oct 2018, PHP 7.3.0RC4
 
 - Core:

UPGRADING

@@ -482,6 +482,11 @@ PCRE:
     supported transparently. Since tidyp offers no API to get the release date,
     tidy_get_release() and tidy::getRelease() return 'unknown' in this case.
 
+ XML:
+  . The return value of the `xml_set_external_entity_ref_handler()` callback is
+    now also heeded if the extension has been built against libxml. Formerly,
+    the return value has been ignored, and parsing did never stop.
+
  Zip:
   . Building against the bundled libzip is discouraged, but still possible by
     adding `--without-libzip` to the configuration.

ext/xml/compat.c

@@ -359,7 +359,10 @@ _external_entity_ref_handler(void *user, const xmlChar *names, int type, const x
 		return;
 	}
 
-	parser->h_external_entity_ref(parser, names, (XML_Char *) "", sys_id, pub_id);
+	if (!parser->h_external_entity_ref(parser, names, (XML_Char *) "", sys_id, pub_id)) {
+		xmlStopParser(parser->parser);
+		parser->parser->errNo = XML_ERROR_EXTERNAL_ENTITY_HANDLING;
+	};
 }
 
 static xmlEntityPtr

ext/xml/tests/bug71592.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #71592 (External entity processing never fails)
+--SKIPIF--
+<?php
+if (!extension_loaded('xml')) die('skip xml extension not available');
+?>
+--FILE--
+<?php
+$xml = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE p [
+  <!ENTITY pic PUBLIC "image.gif" "http://example.org/image.gif">
+]>
+<root>
+<p>&pic;</p>
+<p></nop>
+</root>
+XML;
+
+$parser = xml_parser_create_ns('UTF-8');
+xml_set_external_entity_ref_handler($parser, function () {
+    return false;
+});
+xml_parse($parser, $xml);
+var_dump(xml_get_error_code($parser));
+?>
+===DONE===
+--EXPECT--
+int(21)
+===DONE===