Fix GH-16808: Segmentation fault in RecursiveIteratorIterator->current() with a xml element input

ndossche · ndossche · commit 8e00e468d930 · 2024-11-15T21:38:27.000+01:00
When the current data is invalid, NULL must be returned. At least that's
how the check in SPL works and how other extensions do this as well.
If we don't do this, an UNDEF value gets propagated to a return value
(misprinted as null); leading to issues.
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -2539,7 +2539,11 @@ static zval *php_sxe_iterator_current_data(zend_object_iterator *iter) /* {{{ */
 {
 	php_sxe_iterator *iterator = (php_sxe_iterator *)iter;
 
-	return &iterator->sxe->iter.data;
+	zval *data = &iterator->sxe->iter.data;
+	if (Z_ISUNDEF_P(data)) {
+		return NULL;
+	}
+	return data;
 }
 /* }}} */
 
diff --git a/ext/simplexml/tests/gh16808.phpt b/ext/simplexml/tests/gh16808.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-16808 (Segmentation fault in RecursiveIteratorIterator->current() with a xml element input)
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$sxe = new SimpleXMLElement("<root />");
+$test = new RecursiveIteratorIterator($sxe);
+var_dump($test->current());
+?>
+--EXPECT--
+NULL

Original file line number	Diff line number	Diff line change
`@@ -2539,7 +2539,11 @@ static zval php_sxe_iterator_current_data(zend_object_iterator iter) /* {{{ */`
`2539`	`2539`	`{`
`2540`	`2540`	`php_sxe_iterator iterator = (php_sxe_iterator )iter;`
`2541`	`2541`
`2542`		`- return &iterator->sxe->iter.data;`
	`2542`	`+ zval *data = &iterator->sxe->iter.data;`
	`2543`	`+ if (Z_ISUNDEF_P(data)) {`
	`2544`	`+ return NULL;`
	`2545`	`+ }`
	`2546`	`+ return data;`
`2543`	`2547`	`}`
`2544`	`2548`	`/* }}} */`
`2545`	`2549`