Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter)

Author: laruence

NEWS

@@ -48,6 +48,9 @@ PHP                                                                        NEWS
   . Fixed bug #79000 (Non-blocking socket stream reports EAGAIN as error).
     (Nikita)
 
+- Libxml:
+  . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence)
+
 18 Dec 2019, PHP 7.4.1
 
 - Core:

ext/libxml/libxml.c

@@ -355,6 +355,8 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char
 	context = php_stream_context_from_zval(Z_ISUNDEF(LIBXML(stream_context))? NULL : &LIBXML(stream_context), 0);
 
 	ret_val = php_stream_open_wrapper_ex(path_to_open, (char *)mode, REPORT_ERRORS, NULL, context);
+	/* Prevent from closing this by fclose() */
+	((php_stream*)ret_val)->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
 	if (isescaped) {
 		xmlFree(resolved_path);
 	}

ext/xmlwriter/tests/bug79029.phpt

@@ -0,0 +1,32 @@
+--TEST--
+#79029 (Use After Free's in XMLReader / XMLWriter)
+--SKIPIF--
+<?php if (!extension_loaded("xmlwriter")) print "skip"; ?>
+--FILE--
+<?php
+$x = array( new XMLWriter() );
+$x[0]->openUri("bug79029.txt");
+$x[0]->startComment();
+@unlink("bug79029.txt");
+
+$x = new XMLWriter();
+$x->openUri("bug79029.txt");
+fclose(@end(get_resources()));
+@unlink("bug79029.txt");
+
+file_put_contents("bug79029.txt", "a");
+$x = new XMLReader();
+$x->open("bug79029.txt");
+fclose(@end(get_resources()));
+@unlink("bug79029.txt");
+?>
+okey
+--CLEAN--
+<?php
+@unlink("bug79029.txt");
+?>
+--EXPECTF--
+Warning: fclose(): %d is not a valid stream resource in %sbug79029.php on line %d
+
+Warning: fclose(): %d is not a valid stream resource in %sbug79029.php on line %d
+okey