From 70046fe0d242d63b57266c87d427c04dab58edad Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 31 Mar 2023 00:27:30 +0200 Subject: [PATCH] Fix GH-10983: State-dependant segfault in ReflectionObject::getProperties This is a variant of GH-10200, but in a different place. Basically, simplexml may create a properties table that's packed instead of associative. But the macro that was used to loop over the properties table assumed that it was always associative. Replace it by the macro that figures it out automatically which one of the two it is. --- ext/reflection/php_reflection.c | 2 +- ext/simplexml/tests/gh10983.phpt | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 ext/simplexml/tests/gh10983.phpt diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c index 38d86c32ab6b8..668ad768b384a 100644 --- a/ext/reflection/php_reflection.c +++ b/ext/reflection/php_reflection.c @@ -4686,7 +4686,7 @@ ZEND_METHOD(ReflectionClass, getProperties) if (Z_TYPE(intern->obj) != IS_UNDEF && (filter & ZEND_ACC_PUBLIC) != 0) { HashTable *properties = Z_OBJ_HT(intern->obj)->get_properties(Z_OBJ(intern->obj)); zval *prop; - ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(properties, key, prop) { + ZEND_HASH_FOREACH_STR_KEY_VAL(properties, key, prop) { _adddynproperty(prop, key, ce, return_value); } ZEND_HASH_FOREACH_END(); } diff --git a/ext/simplexml/tests/gh10983.phpt b/ext/simplexml/tests/gh10983.phpt new file mode 100644 index 0000000000000..ae6da92d7de2f --- /dev/null +++ b/ext/simplexml/tests/gh10983.phpt @@ -0,0 +1,23 @@ +--TEST-- +GH-10983 (State-dependant segfault in ReflectionObject::getProperties) +--EXTENSIONS-- +simplexml +--FILE-- + +XML; + +$simplexml = simplexml_load_string($xml); + +var_dump($simplexml['name']); +$reflector = new ReflectionObject($simplexml['name']); +$rprops = $reflector->getProperties(); + +?> +--EXPECT-- +object(SimpleXMLElement)#2 (1) { + [0]=> + string(4) "test" +}