Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces)

NEWS

@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #74947 (Segfault in scanner on INF number). (Laruence)
 
+- SimpleXML:
+  . Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces).
+    (Laruence)
+
 - SPL:
   . Fixed bug #74669 (Unserialize ArrayIterator broken). (Andrew Nester)
 

ext/simplexml/simplexml.c

@@ -2321,16 +2321,16 @@ SXE_METHOD(__construct)
 	}
 
 	if (ZEND_SIZE_T_INT_OVFL(data_len)) {
-		php_error_docref(NULL, E_WARNING, "Data is too long");
-		RETURN_FALSE;
+		zend_throw_exception(zend_ce_exception, "Data is too long", 0);
+		return;
 	}
 	if (ZEND_SIZE_T_INT_OVFL(ns_len)) {
-		php_error_docref(NULL, E_WARNING, "Namespace is too long");
-		RETURN_FALSE;
+		zend_throw_exception(zend_ce_exception, "Namespace is too long", 0);
+		return;
 	}
 	if (ZEND_LONG_EXCEEDS_INT(options)) {
-		php_error_docref(NULL, E_WARNING, "Invalid options");
-		RETURN_FALSE;
+		zend_throw_exception(zend_ce_exception, "Invalid options", 0);
+		return;
 	}
 
 	docp = is_url ? xmlReadFile(data, NULL, (int)options) : xmlReadMemory(data, (int)data_len, NULL, NULL, (int)options);

ext/simplexml/tests/bug74950.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #74950 (null pointer deref in zim_simplexml_element_getDocNamespaces)
+--SKIPIF--
+<?php
+if (!extension_loaded("simplexml")) die("skip SimpleXML not available");
+?>
+--FILE--
+<?php
+$xml=new SimpleXMLElement(0,9000000000);var_dump($xml->getDocNamespaces())?>
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Invalid options in %sbug74950.php:%d
+Stack trace:
+#0 %sbug74950.php(%d): SimpleXMLElement->__construct('0', 9000000000)
+#1 {main}
+  thrown in %sbug74950.php on line %d