php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #35785 SimpleXML causes memory read error zend engine
Submitted: 2005-12-23 12:14 UTC Modified: 2006-02-27 00:20 UTC
From: TheFFF at gmail dot com Assigned: helly (profile)
Status: Closed Package: SimpleXML related
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: TheFFF at gmail dot com
New email:
PHP Version: OS:

 

 [2005-12-23 12:14 UTC] TheFFF at gmail dot com 
Description:
------------
trying to set some values

Reproduce code:
---------------
<?php
  $options["database"] = "xmldatabase";
  $x = simplexml_load_string("<root></root>");
    $count = count($x -> posts) + 1;
    $x -> bla -> posts[$count] -> name = $_POST["name"];
    echo  $x -> asXML();
?>

also getting the error with simplexml_load_file();

Expected result:
----------------
bla dosen't exist so some kinda error

Actual result:
--------------
The instuction at "0x006d693c" referenced memory "0x000000c". The memory could not be "read"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-23 15:16 UTC] tony2001@php.net 
Reproducible with 5.1.2-dev.
The backtrace is quite useless:

Program received signal SIGSEGV, Segmentation fault.
0x081d285e in zend_pzval_unlock_func (z=0x5a5a5a5a, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:66
66              if (!--z->refcount) {
(gdb) bt
#0  0x081d285e in zend_pzval_unlock_func (z=0x5a5a5a5a, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:66
#1  0x081d2c16 in _get_zval_ptr_ptr_var (node=0x82d8558, Ts=0xbfffc7c0, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:259
#2  0x081a4270 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_HANDLER (execute_data=0xbfffca30) at zend_vm_execute.h:8726
#3  0x0818f3ad in execute (op_array=0x82d3ed4) at zend_vm_execute.h:92
#4  0x081727c8 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/clean/php-src_5_1/Zend/zend.c:1101
#5  0x0812f104 in php_execute_script (primary_file=0xbfffeed0) at /usr/src/dev/clean/php-src_5_1/main/main.c:1720
#6  0x081d5d2e in main (argc=2, argv=0xbfffefb4) at /usr/src/dev/clean/php-src_5_1/sapi/cli/php_cli.c:1077
 [2005-12-26 13:20 UTC] helly@php.net 
From dmitry:

The problem is:

$xml->bla-props[0]->name = 0;

For nonexisting element "props" simplexml returns NULL with refcount == 0;
Then ZE trying to assign dimension into it;
It converts NULL into array;
inserts uninitialized zval into it (for index 0);
stores zval** for next opcode
Then it destroys array, because refcount is 0 (this 0 comes from simplexml)

Next opcode crashes because stored zval** is destroyed together with array.


This bug must be fixed in ext/simplexml.
It must care about "type" argument of read_property() callback and implement
implicit element/attribute creation or prohibit it.
ZE cannot handle such assignment automatic. (It uses get_zval_ptr_ptr() for
that, but simplexml doesn't define it).


So this goes back to me
 [2006-02-26 17:50 UTC] helly@php.net 
In HEAD the following raises an error now, but no more mem corruption:
$xml->bla-props[0]->name = $val;

This works now:
$xml->bla->props->name = $val;
 [2006-02-27 00:20 UTC] helly@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC