From 8e00e468d93040ff9a5da4a92bfbe9f8dacfd9ba Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 15 Nov 2024 21:38:27 +0100
Subject: [PATCH] Fix GH-16808: Segmentation fault in
 RecursiveIteratorIterator->current() with a xml element input

When the current data is invalid, NULL must be returned. At least that's
how the check in SPL works and how other extensions do this as well.
If we don't do this, an UNDEF value gets propagated to a return value
(misprinted as null); leading to issues.
---
 ext/simplexml/simplexml.c        |  6 +++++-
 ext/simplexml/tests/gh16808.phpt | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 ext/simplexml/tests/gh16808.phpt

diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index 21cd5cdb4c7bd..7e1dcf9eb2a3b 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -2539,7 +2539,11 @@ static zval *php_sxe_iterator_current_data(zend_object_iterator *iter) /* {{{ */
 {
 	php_sxe_iterator *iterator = (php_sxe_iterator *)iter;
 
-	return &iterator->sxe->iter.data;
+	zval *data = &iterator->sxe->iter.data;
+	if (Z_ISUNDEF_P(data)) {
+		return NULL;
+	}
+	return data;
 }
 /* }}} */
 
diff --git a/ext/simplexml/tests/gh16808.phpt b/ext/simplexml/tests/gh16808.phpt
new file mode 100644
index 0000000000000..be0bc59fb655a
--- /dev/null
+++ b/ext/simplexml/tests/gh16808.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-16808 (Segmentation fault in RecursiveIteratorIterator->current() with a xml element input)
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$sxe = new SimpleXMLElement("<root />");
+$test = new RecursiveIteratorIterator($sxe);
+var_dump($test->current());
+?>
+--EXPECT--
+NULL