|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35785 SimpleXML causes memory read error zend engine
Submitted: 2005-12-23 12:14 UTC Modified: 2006-02-27 00:20 UTC
From: TheFFF at gmail dot com Assigned: helly (profile)
Status: Closed Package: SimpleXML related
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: TheFFF at gmail dot com
New email:
PHP Version: OS:


 [2005-12-23 12:14 UTC] TheFFF at gmail dot com
trying to set some values

Reproduce code:
  $options["database"] = "xmldatabase";
  $x = simplexml_load_string("<root></root>");
    $count = count($x -> posts) + 1;
    $x -> bla -> posts[$count] -> name = $_POST["name"];
    echo  $x -> asXML();

also getting the error with simplexml_load_file();

Expected result:
bla dosen't exist so some kinda error

Actual result:
The instuction at "0x006d693c" referenced memory "0x000000c". The memory could not be "read"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-23 15:16 UTC]
Reproducible with 5.1.2-dev.
The backtrace is quite useless:

Program received signal SIGSEGV, Segmentation fault.
0x081d285e in zend_pzval_unlock_func (z=0x5a5a5a5a, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:66
66              if (!--z->refcount) {
(gdb) bt
#0  0x081d285e in zend_pzval_unlock_func (z=0x5a5a5a5a, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:66
#1  0x081d2c16 in _get_zval_ptr_ptr_var (node=0x82d8558, Ts=0xbfffc7c0, should_free=0xbfffc76c) at /usr/src/dev/clean/php-src_5_1/Zend/zend_execute.c:259
#2  0x081a4270 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_HANDLER (execute_data=0xbfffca30) at zend_vm_execute.h:8726
#3  0x0818f3ad in execute (op_array=0x82d3ed4) at zend_vm_execute.h:92
#4  0x081727c8 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/clean/php-src_5_1/Zend/zend.c:1101
#5  0x0812f104 in php_execute_script (primary_file=0xbfffeed0) at /usr/src/dev/clean/php-src_5_1/main/main.c:1720
#6  0x081d5d2e in main (argc=2, argv=0xbfffefb4) at /usr/src/dev/clean/php-src_5_1/sapi/cli/php_cli.c:1077

 [2005-12-26 13:20 UTC]
From dmitry:

The problem is:

$xml->bla-props[0]->name = 0;

For nonexisting element "props" simplexml returns NULL with refcount == 0;
Then ZE trying to assign dimension into it;
It converts NULL into array;
inserts uninitialized zval into it (for index 0);
stores zval** for next opcode
Then it destroys array, because refcount is 0 (this 0 comes from simplexml)

Next opcode crashes because stored zval** is destroyed together with array.

This bug must be fixed in ext/simplexml.
It must care about "type" argument of read_property() callback and implement
implicit element/attribute creation or prohibit it.
ZE cannot handle such assignment automatic. (It uses get_zval_ptr_ptr() for
that, but simplexml doesn't define it).

So this goes back to me
 [2006-02-26 17:50 UTC]
In HEAD the following raises an error now, but no more mem corruption:
$xml->bla-props[0]->name = $val;

This works now:
$xml->bla->props->name = $val;
 [2006-02-27 00:20 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jun 22 15:01:28 2024 UTC