From b8b23bd24dfa7ce6aa9a73af7b29b36d93d3fc39 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 29 Sep 2025 15:18:03 +0200
Subject: [PATCH] Fix GH-19988: zend_string_init with NULL pointer in simplexml
 (UB)

Normally, simplexml cannot import document nodes,
but xsl allows to circumvent this.
A document does not have a name, so we return the empty string
in that case.
While we could add an explicit check, we might as well switch
the macro to a form that would be more optimal anyway as many
tag names can be single characters.

The test was added in xsl because adding it in simplexml would
break out-of-tree builds of simplexml.
---
 ext/simplexml/simplexml.c  |  2 +-
 ext/xsl/tests/gh19988.phpt | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 ext/xsl/tests/gh19988.phpt

diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index 11f497a6673ea..6eae5650340c5 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -1661,7 +1661,7 @@ PHP_METHOD(SimpleXMLElement, getName)
 	node = php_sxe_get_first_node(sxe, node);
 	if (node) {
 		namelen = xmlStrlen(node->name);
-		RETURN_STRINGL((char*)node->name, namelen);
+		RETURN_STRINGL_FAST((const char *) node->name, namelen);
 	} else {
 		RETURN_EMPTY_STRING();
 	}
diff --git a/ext/xsl/tests/gh19988.phpt b/ext/xsl/tests/gh19988.phpt
new file mode 100644
index 0000000000000..174af282f9c09
--- /dev/null
+++ b/ext/xsl/tests/gh19988.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-19988 (zend_string_init with NULL pointer in simplexml (UB))
+--EXTENSIONS--
+simplexml
+xsl
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$sxe = simplexml_load_file(__DIR__ . '/53965/collection.xml');
+$processor = new XSLTProcessor;
+$dom = new DOMDocument;
+$dom->load(__DIR__ . '/53965/collection.xsl');
+$processor->importStylesheet($dom);
+$result = $processor->transformToDoc($sxe, SimpleXMLElement::class);
+var_dump($result->getName());
+?>
+--EXPECT--
+string(0) ""