Segmentation fault in ext/simplexml/simplexml.c

[YuanchengJiang]

Description

The following code:

<?php
$xml =<<<EOF
<xml>
<fieldset1>
</fieldset1>
<fieldset2>
<options>
</options>
</fieldset2>
</xml>
EOF;
$sxe = new SimpleXMLIterator($xml);
$rit = new RecursiveIteratorIterator($sxe, RecursiveIteratorIterator::LEAVES_ONLY);
foreach ($rit as $child) {
$ancestry = $child->xpath('ancestor-or-self::*');
foreach ($ancestry as $ancestor) {
}
}
$fusion = $rit;
try
{
var_dump($fusion->key());
}
catch(BadMethodCallException $e)
{
}

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==789276==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000308 (pc 0x7eff85eb5959 bp 0x7ffc6cd98b70 sp 0x7ffc6cd98a78 T0)
==789276==The signal is caused by a READ memory access.
==789276==Hint: address points to the zero page.
    #0 0x7eff85eb5959 in xmlStrlen (/lib/x86_64-linux-gnu/libxml2.so.2+0xe0959) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)
    #1 0x55d32b9865a1 in php_sxe_iterator_current_key /php-src/ext/simplexml/simplexml.c:2498:3
    #2 0x55d32bab2f7b in zim_RecursiveIteratorIterator_key /php-src/ext/spl/spl_iterators.c:690:3
    #3 0x55d32ce484b3 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /php-src/Zend/zend_vm_execute.h:2025:4
    #4 0x55d32cba8f47 in execute_ex /php-src/Zend/zend_vm_execute.h:58585:7
    #5 0x55d32cbaa382 in zend_execute /php-src/Zend/zend_vm_execute.h:64237:2
    #6 0x55d32d6c74f8 in zend_execute_script /php-src/Zend/zend.c:1926:3
    #7 0x55d32c277e26 in php_execute_script_ex /php-src/main/main.c:2578:13
    #8 0x55d32c2786c8 in php_execute_script /php-src/main/main.c:2618:9
    #9 0x55d32d6d5ad3 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #10 0x55d32d6d14f2 in main /php-src/sapi/cli/php_cli.c:1309:18
    #11 0x7eff85a54d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #12 0x7eff85a54e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #13 0x55d32a403244 in _start (/php-src/sapi/cli/php+0x1c03244) (BuildId: ee1f743275c2fdd0ccef8e16c7fa1c0bff43bbe8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libxml2.so.2+0xe0959) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61) in xmlStrlen

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[cmb69]

Not sure if that's a SimpleXML issue, but tentatively marking as such.

Anyhow, PHP-8.3 is affected as well, and maybe older branches too.

[iluuu1994]

Look like a null pointer is passed to xmlStrlen(), so it seems more like a PHP issue.

php-src/ext/simplexml/simplexml.c

Line 2498 in 2ced1c9

ZVAL_STRINGL(key, (char *) curnode->name, xmlStrlen(curnode->name));

/cc @nielsdos

[cmb69]

"Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end." – Henry Spencer

I still assume that is an issue with SimpleXMLIterator.

[iluuu1994]

Maybe, I don't know anything about simplexml. :)

[nielsdos]

I'll have a look. It reproduces on 8.2 too.