Skip to content

Segmentation fault in RecursiveIteratorIterator->current() with a xml element input #16808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue Nov 15, 2024 · 3 comments
Closed

Segmentation fault in RecursiveIteratorIterator->current() with a xml element input #16808

YuanchengJiang opened this issue Nov 15, 2024 · 3 comments
Assignees
@nielsdos
Labels
Bug Extension: simplexml Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$sx1 = new SimpleXMLElement("<root />");
$fusion = $sx1;
$test = new RecursiveIteratorIterator($fusion);
var_dump($test->current());

Resulted in this output:

/php-src/main/spprintf.c:376:14: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')

To reproduce: JIT 1015

PHP Version

nightly

Operating System

ubuntu 22.04
@nielsdos
Copy link
Member

nielsdos commented Nov 15, 2024
edited
Loading

It already goes wrong in non-JIT mode:

Fatal error: RecursiveIteratorIterator::current(): Return value must be of type mixed, null returned in Unknown on line 0

So the mixed type check for null isn't working properly apparently. But only for internal functions, userland functions seem fine... EDIT: actually on a release build it outputs "UNKNOWN:0" so that means an UNDEF value is produced somewhere and propagated...

@nielsdos
Copy link
Member

nielsdos commented Nov 15, 2024
edited
Loading

This is not a JIT nor opcache issue, the SXE iterator returns UNDEF when invalid (which is right EDIT: hmm or not will need to check) but SPL does not handle this right. Either it should check for validity first or check if the return value is UNDEF.

@nielsdos
Copy link
Member

Okay judging how the other code works: the issue is that SXE returns UNDEF but it should return NULL; that's how others do it too. So this is an SXE bug after all.

@nielsdos nielsdos self-assigned this Nov 15, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Nov 15, 2024
@nielsdos
Fix phpGH-16808: Segmentation fault in RecursiveIteratorIterator->cur…
8e00e46 
…rent() with a xml element input

When the current data is invalid, NULL must be returned. At least that's
how the check in SPL works and how other extensions do this as well.
If we don't do this, an UNDEF value gets propagated to a return value
(misprinted as null); leading to issues.
@nielsdos nielsdos linked a pull request Nov 15, 2024 that will close this issue
Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input #16825
Closed
nielsdos added a commit that referenced this issue Nov 16, 2024
@nielsdos
Merge branch 'PHP-8.2' into PHP-8.3
2ba1859 
* PHP-8.2:
  Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
nielsdos added a commit that referenced this issue Nov 16, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
d3fada3 
* PHP-8.3:
  Fix GH-16777: Calling the constructor again on a DOM object after it is in a document causes UAF
  Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
nielsdos added a commit that referenced this issue Nov 16, 2024
@nielsdos
Merge branch 'PHP-8.4'
cfc8361 
* PHP-8.4:
  Fix GH-16777: Calling the constructor again on a DOM object after it is in a document causes UAF
  Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: simplexml Status: Verified
Projects
None yet
Milestone
No milestone
3 participants
@devnexen @nielsdos @YuanchengJiang