Fix getting the address of an uninitialized property of a SimpleXMLEl…

…ement resulting in a crash Closes GH-12945.
php · Dec 17, 2023 · abf4c11 · abf4c11
1 parent a6d17bf
commit abf4c11
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -23,6 +23,10 @@ PHP                                                                        NEWS
 - PHPDBG:
   . Fixed bug GH-12962 (Double free of init_file in phpdbg_prompt.c). (nielsdos)
 
+- SimpleXML:
+  . Fix getting the address of an uninitialized property of a SimpleXMLElement
+    resulting in a crash. (nielsdos)
+
 21 Dec 2023, PHP 8.2.14
 
 - Core:

diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -636,6 +636,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
 
 	sxe = php_sxe_fetch_object(object);
 	GET_NODE(sxe, node);
+	if (UNEXPECTED(!node)) {
+		return &EG(error_zval);
+	}
 	name = ZSTR_VAL(zname);
 	node = sxe_get_element_by_name(sxe, node, &name, &type);
 	if (node) {

diff --git a/ext/simplexml/tests/get_prop_address_not_initialized.phpt b/ext/simplexml/tests/get_prop_address_not_initialized.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Getting the address of an uninitialized property of a SimpleXMLElement
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+
+$rc = new ReflectionClass('SimpleXMLElement');
+$sxe = $rc->newInstanceWithoutConstructor();
+$sxe->a['b'] = 'b';
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: SimpleXMLElement is not properly initialized in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d