php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #38347 Segmentation fault by calling foreach with an unknown/empty SimpleXMLElement.
Submitted: 2006-08-05 15:25 UTC Modified: 2006-08-06 17:41 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: gallien at teisger dot com Assigned:
Status: Closed Package: SimpleXML related
PHP Version: 6CVS-2006-08-05 (snap) OS: SuSE Linux 9.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gallien at teisger dot com
New email:
PHP Version: OS:

 

 [2006-08-05 15:25 UTC] gallien at teisger dot com 
Description:
------------
I am using PHP CLI on SuSE Linux 9.2 and the following code produces a segmentation fault calling the php file with "/usr/bin/php test.php". The element "$xml->unknown" used for calling the function iterate() does not really exist.

It seems the function "sxe_find_element_by_name()" in "simplexml.c" returns a null pointer for "orgnode" and then "orgnode->children" is a very dangerous access (see backtrace).

configure: ./configure --prefix=/usr/local/php5 --with-apxs2=/usr/sbin/apxs2 --with-libxml-dir=/usr/lib --with-zlib --with-zlib-dir=/usr/lib --with-mysql=/usr/bin/mysql --with-gd --enable-sockets --with-gettext=/usr/bin/gettext --with-jpeg-dir=/usr/bin --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib

Reproduce code:
---------------
<?php

function iterate($xml)
{
    print_r($xml);
    foreach ($xml->item as $item) {
        echo "This code will crash!";
    }
}

$xmlstr = "<xml><item>Item 1</item><item>Item 2</item></xml>";
$xml = simplexml_load_string($xmlstr);
iterate($xml->unknown);

?>


Expected result:
----------------
Error or warning but not a segmentation fault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1077766880 (LWP 10600)]
sxe_property_get_adr (object=0x403e2458, member=0x403e3dfc)
    at /usr/local/src/php5.2-200608051230/ext/simplexml/simplexml.c:198
198                     node = orgnode->children;
(gdb) bt
#0  sxe_property_get_adr (object=0x403e2458, member=0x403e3dfc)
    at /usr/local/src/php5.2-200608051230/ext/simplexml/simplexml.c:198
#1  0x08247209 in zend_fetch_property_address (result=0xbfffcd90, container_ptr=0x403e4474,
    prop_ptr=0x403e3dfc, type=1) at /usr/local/src/php5.2-200608051230/Zend/zend_execute.c:1264
#2  0x0824ac88 in ZEND_FETCH_OBJ_W_SPEC_CV_CONST_HANDLER (execute_data=0xbfffcdf0)
    at /usr/local/src/php5.2-200608051230/Zend/zend_execute.c:271
#3  0x08278239 in execute (op_array=0x843c810) at zend_vm_execute.h:92
#4  0x0822dde9 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffcf40)
    at zend_vm_execute.h:234
#5  0x08278239 in execute (op_array=0x403e2908) at zend_vm_execute.h:92
#6  0x0821373f in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php5.2-200608051230/Zend/zend.c:1095
#7  0x081dbab9 in php_execute_script (primary_file=0xbffff410)
    at /usr/local/src/php5.2-200608051230/main/main.c:1759
#8  0x08279650 in main (argc=2, argv=0xbffff4e4)
    at /usr/local/src/php5.2-200608051230/sapi/cli/php_cli.c:1097

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-05 20:08 UTC] judas dot iscariote at gmail dot com 
reproducible in current 5_2 too.
 [2006-08-06 17:41 UTC] tony2001@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC