php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #35785 SimpleXML causes memory read error zend engine
Submitted: 2005-12-23 12:14 UTC Modified: 2006-02-27 00:20 UTC
From: TheFFF at gmail dot com Assigned: helly (profile)
Status: Closed Package: SimpleXML related
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2005-12-23 12:14 UTC] TheFFF at gmail dot com 
Description:
------------
trying to set some values

Reproduce code:
---------------
<?php
  $options["database"] = "xmldatabase";
  $x = simplexml_load_string("<root></root>");
    $count = count($x -> posts) + 1;
    $x -> bla -> posts[$count] -> name = $_POST["name"];
    echo  $x -> asXML();
?>

also getting the error with simplexml_load_file();

Expected result:
----------------
bla dosen't exist so some kinda error

Actual result:
--------------
The instuction at "0x006d693c" referenced memory "0x000000c". The memory could not be "read"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-23 15:16 UTC] tony2001@php.net 
Reproducible with 5.1.2-dev.
The backtrace is quite useless:

Program received signal SIGSEGV, Segmentation fault.
0x081d285e in zend_pzval_unlock_func (z=0x5a5a5a5a, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:66
66              if (!--z->refcount) {
(gdb) bt
#0  0x081d285e in zend_pzval_unlock_func (z=0x5a5a5a5a, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:66
#1  0x081d2c16 in _get_zval_ptr_ptr_var (node=0x82d8558, Ts=0xbfffc7c0, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:259
#2  0x081a4270 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_HANDLER (execute_data=0xbfffca30) at zend_vm_execute.h:8726
#3  0x0818f3ad in execute (op_array=0x82d3ed4) at zend_vm_execute.h:92
#4  0x081727c8 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/clean/php-src_5_1/Zend/zend.c:1101
#5  0x0812f104 in php_execute_script (primary_file=0xbfffeed0) at /usr/src/dev/clean/php-src_5_1/main/main.c:1720
#6  0x081d5d2e in main (argc=2, argv=0xbfffefb4) at /usr/src/dev/clean/php-src_5_1/sapi/cli/php_cli.c:1077
 [2005-12-26 13:20 UTC] helly@php.net 
From dmitry:

The problem is:

$xml->bla-props[0]->name = 0;

For nonexisting element "props" simplexml returns NULL with refcount == 0;
Then ZE trying to assign dimension into it;
It converts NULL into array;
inserts uninitialized zval into it (for index 0);
stores zval** for next opcode
Then it destroys array, because refcount is 0 (this 0 comes from simplexml)

Next opcode crashes because stored zval** is destroyed together with array.


This bug must be fixed in ext/simplexml.
It must care about "type" argument of read_property() callback and implement
implicit element/attribute creation or prohibit it.
ZE cannot handle such assignment automatic. (It uses get_zval_ptr_ptr() for
that, but simplexml doesn't define it).


So this goes back to me
 [2006-02-26 17:50 UTC] helly@php.net 
In HEAD the following raises an error now, but no more mem corruption:
$xml->bla-props[0]->name = $val;

This works now:
$xml->bla->props->name = $val;
 [2006-02-27 00:20 UTC] helly@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Mar 04 06:01:27 2025 UTC