Fix GH-15837: Segmentation fault in ext/simplexml/simplexml.c

We should check if the iterator data is still valid, because if it
isn't, then the type info is UNDEF, but the pointer value may be
dangling.

Closes GH-15841.

Author: nielsdos

NEWS

@@ -8,6 +8,10 @@ PHP                                                                        NEWS
   . Fixed regression where signs after the first one were ignored while parsing
     a signed integer, with the DateTimeInterface::modify() function. (Derick)
 
+- SimpleXML:
+  . Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c).
+    (nielsdos)
+
 - SOAP:
   . Fixed bug #62900 (Wrong namespace on xsd import error message). (nielsdos)
 

ext/simplexml/simplexml.c

@@ -2547,6 +2547,11 @@ static void php_sxe_iterator_current_key(zend_object_iterator *iter, zval *key)
 {
 	php_sxe_iterator *iterator = (php_sxe_iterator *)iter;
 	zval *curobj = &iterator->sxe->iter.data;
+	if (Z_ISUNDEF_P(curobj)) {
+		ZVAL_NULL(key);
+		return;
+	}
+
 	php_sxe_object *intern = Z_SXEOBJ_P(curobj);
 
 	xmlNodePtr curnode = NULL;

ext/simplexml/tests/gh15837.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-15837 (Segmentation fault in ext/simplexml/simplexml.c)
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$xml =<<<EOF
+<xml>
+<fieldset1>
+</fieldset1>
+<fieldset2>
+<options>
+</options>
+</fieldset2>
+</xml>
+EOF;
+$sxe = new SimpleXMLIterator($xml);
+$rit = new RecursiveIteratorIterator($sxe, RecursiveIteratorIterator::LEAVES_ONLY);
+foreach ($rit as $child) {
+    $ancestry = $child->xpath('ancestor-or-self::*');
+    // Exhaust internal iterator
+    foreach ($ancestry as $ancestor) {
+    }
+}
+var_dump($rit->valid());
+var_dump($rit->key());
+?>
+--EXPECT--
+bool(false)
+NULL