Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SimpleXML crash when using autovivification on document #17153

Closed
YuanchengJiang opened this issue Dec 14, 2024 · 0 comments
Closed

SimpleXML crash when using autovivification on document #17153

YuanchengJiang opened this issue Dec 14, 2024 · 0 comments
Labels
Bug Extension: simplexml Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
class AdvancedXMLElement extends SimpleXMLElement {
}
$sxe = simplexml_load_file(__DIR__ . '/53965/collection.xml', AdvancedXMLElement::class);
$processor = new XSLTProcessor;
$dom = new DOMDocument;
$dom->load(__DIR__ . '/53965/collection.xsl');
$processor->importStylesheet($dom);
$result = $processor->transformToDoc($sxe, AdvancedXMLElement::class);
$fusion = $result;
$x = (object)['a'=>1,'b'=>2,'c'=>3,'d'=>4,'e'=>5,'f'=>6,'g'=>7];
$fusion->h =& $x->i;
var_dump(get_defined_vars());

Resulted in this output:

=================================================================
==3489492==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8003 (pc 0x00000262ad8c bp 0x7ffcc685bdf0 sp 0x7ffcc685bd30 T0)
==3489492==The signal is caused by a READ memory access.
    #0 0x262ad8c in match_ns /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/simplexml/simplexml.c:111:53
    #1 0x2643881 in sxe_get_prop_hash /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/simplexml/simplexml.c:1145:45
    #2 0x2625d97 in sxe_get_debug_info /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/simplexml/simplexml.c:1201:9
    #3 0x4b9fffa in zend_std_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2388:10
    #4 0x4ba0d11 in zend_get_properties_for /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_object_handlers.c:2437:9
    #5 0x3242a6a in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:178:11
    #6 0x3244cbe in php_array_element_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:51:2
    #7 0x32417e6 in php_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:152:5
    #8 0x3246bda in zif_var_dump /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/var.c:245:3
    #9 0x4484b19 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1299:2
    #10 0x3f7c237 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #11 0x3f7e4bc in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #12 0x4d151c9 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #13 0x35298da in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #14 0x352aa18 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #15 0x4d294da in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #16 0x4d239bf in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #17 0x7f36cec45d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7f36cec45e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/simplexml/simplexml.c:111:53 in match_ns
==3489492==ABORTING

dependency: collection.xml

PHP Version

nightly

Operating System

ubuntu 22.04
@nielsdos nielsdos changed the title Segmentation fault ext/simplexml/simplexml.c:111:53 in match_ns SimpleXML crash when using autovivification on document Dec 14, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Dec 14, 2024
@nielsdos
Fix phpGH-17153: SimpleXML crash when using autovivification on document
5e4a8c5 
In the case of a member string, `mynode` may also be a document, which
doesn't have a namespace.
@nielsdos nielsdos linked a pull request Dec 14, 2024 that will close this issue
Fix GH-17153: SimpleXML crash when using autovivification on document #17156
Closed
nielsdos added a commit that referenced this issue Dec 15, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
aea64c8 
* PHP-8.3:
  Fix GH-17153: SimpleXML crash when using autovivification on document
nielsdos added a commit that referenced this issue Dec 15, 2024
@nielsdos
Merge branch 'PHP-8.4'
1ff68f5 
* PHP-8.4:
  Fix GH-17153: SimpleXML crash when using autovivification on document
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: simplexml Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17153: SimpleXML crash when using autovivification on document nielsdos/php-src
2 participants
@devnexen @YuanchengJiang