php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41582 SimpleXML crashes.
Submitted: 2007-06-04 09:53 UTC Modified: 2007-06-26 01:00 UTC
Votes:3
Avg. Score:3.7 ± 0.9
Reproduced:2 of 3 (66.7%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: judas dot iscariote at gmail dot com Assigned: dmitry
Status: No Feedback Package: SimpleXML related
PHP Version: 5CVS-2007-06-04 (CVS) OS: Any
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-06-04 09:53 UTC] judas dot iscariote at gmail dot com
Description:
------------
the following code segafaults.

Reproduce code:
---------------
<?php

$xml = new SimpleXMLElement('<?xml version="1.0" standalone="yes"?> <collection></collection>');

$xml->movie[]->characters->character[0]->name = 'Miss Coder';

//or crashes too ( same issue) 
//$xml->movie[0]->characters->character[]->name = 'Miss Coder';

var_dump($xml->asXml());

?>


Expected result:
----------------
Fatal Error: cannot use [] for reading.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47237115809024 (LWP 23360)]
0x000000000056e7d0 in sxe_prop_dim_read (object=0xc94dd8, member=0x0, elements=0 '\0', attribs=1 '\001', silent=0 '\0')
    at /home/cristian/php5/ext/simplexml/simplexml.c:254
254             if (Z_TYPE_P(member) == IS_LONG) {
....




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-04 10:59 UTC] tony2001@php.net
Marcus, check the patch out:
http://dev.daylessday.org/diff/bug41582.diff
 [2007-06-05 10:03 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-06-06 10:53 UTC] judas dot iscariote at gmail dot com
fix works. but leaks memory in the above situation.

$xml = new SimpleXMLElement('<?xml version="1.0" standalone="yes"?> <collection></collection>');

$xml->movie[1]->characters->character[]->name = 'Miss Coder';


Zend/zend_execute.c(1249) :  Freeing 0x00C97DA0 (24 bytes), script=simplecrashes.php
=== Total 1 memory leaks detected ===
 [2007-06-06 11:28 UTC] tony2001@php.net
Well, there are some cases which cannot be fixed at all.
Fortunately they only happen when the code is b0rked, so I don't think it's critical.
Markus, can you think of any solution for the leak?
 [2007-06-13 13:53 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-06-15 06:32 UTC] judas dot iscariote at gmail dot com
Dmitry, first thanks for taking care of correcting the leak.. however.. now a funny warning is raised !!

$xml->movie[1]->characters->character[]->name = 'Miss Coder';

causes :

Warning: main(): (main ? x_X) 

Cannot add element movie number 1 when only 0 such elements exist in...(this part is correct though)

that's not so annoying or critical and we can live with it, however does not look good.

Addtionally I gave this stuff a better test now.. and Im still able to find some good as well edge/wrong cases where this stuff needs improvement.

for example:


$xml->movie[2.5]->characters->character[0]->name = '';

leaks memory as well. this is bad code of course ;) however I think this raises the real issue.. IMHO the code should check if the element number is >= 0 and an integer (not a float,maybe cast it to integer? and or emit warning/notice when the wrong type is used...)


other case, that "looks" valid.

// the string '0';
$xml->movie['0']->characters->character[0]->name = '';

leaks memory and emits...
Notice: Indirect modification of overloaded element of SimpleXMLElement has no effect in .. but 0 as an integer works fine :-)
 [2007-06-18 13:39 UTC] nlopess@php.net
Dmitry: new comment added that may need your attention
 [2007-06-18 14:27 UTC] dmitry@php.net
The warning in first case is right. You cannot add element with index 1.

In following examples you try to set XML attribute with name '2.5' and '0' and add somthing to this attribute. It is not possible to add something to attribute and engine told you that "Indirect modification of overloaded element of SimpleXMLElement has no effect". Memory leaks in such situation are expected.

The only thing that I can do - prevent creaton of attributes with numeric names.
 [2007-06-26 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 19:02:15 2014 UTC