diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/simplexml/simplexml.c | 12 | ||||
-rw-r--r-- | ext/simplexml/tests/bug41582.phpt | 16 |
3 files changed, 27 insertions, 3 deletions
@@ -10,6 +10,8 @@ PHP NEWS exists (pecl bug #11216) (Pierre) GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Fixed bug #41594 (Statement cache is flushed too frequently). (Tony) +- Fixed bug #41582 (SimpleXML crashes when accessing newly created element). + (Tony) - Fixed bug #41576 (configure failure when using --without-apxs or some other SAPIs disabling options). (Jani) - Fixed bug #41567 (json_encode() double conversion is inconsistent with diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index dc5b6c8983..4c0fdf11a2 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -238,7 +238,7 @@ next_iter: /* {{{ sxe_prop_dim_read() */ -static zval * sxe_prop_dim_read(zval *object, zval *member, zend_bool elements, zend_bool attribs, zend_bool silent TSRMLS_DC) +static zval * sxe_prop_dim_read(zval *object, zval *member, zend_bool elements, zend_bool attribs, int type TSRMLS_DC) { zval *return_value; php_sxe_object *sxe; @@ -249,6 +249,12 @@ static zval * sxe_prop_dim_read(zval *object, zval *member, zend_bool elements, int nodendx = 0; int test = 0; + if (!member) { + return_value = &EG(uninitialized_zval); + return_value->is_ref = 1; + return return_value; + } + sxe = php_sxe_fetch_object(object TSRMLS_CC); if (Z_TYPE_P(member) == IS_LONG) { @@ -357,7 +363,7 @@ static zval * sxe_prop_dim_read(zval *object, zval *member, zend_bool elements, */ static zval * sxe_property_read(zval *object, zval *member, int type TSRMLS_DC) { - return sxe_prop_dim_read(object, member, 1, 0, type == BP_VAR_IS TSRMLS_CC); + return sxe_prop_dim_read(object, member, 1, 0, type TSRMLS_CC); } /* }}} */ @@ -365,7 +371,7 @@ static zval * sxe_property_read(zval *object, zval *member, int type TSRMLS_DC) */ static zval * sxe_dimension_read(zval *object, zval *offset, int type TSRMLS_DC) { - return sxe_prop_dim_read(object, offset, 0, 1, 0 TSRMLS_CC); + return sxe_prop_dim_read(object, offset, 0, 1, type TSRMLS_CC); } /* }}} */ diff --git a/ext/simplexml/tests/bug41582.phpt b/ext/simplexml/tests/bug41582.phpt new file mode 100644 index 0000000000..5f0aa78006 --- /dev/null +++ b/ext/simplexml/tests/bug41582.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #41582 (SimpleXML crashes when accessing newly created element) +--FILE-- +<?php + +$xml = new SimpleXMLElement('<?xml version="1.0" standalone="yes"?> +<collection></collection>'); + +$xml->movie[]->characters->character[0]->name = 'Miss Coder'; + +var_dump($xml->asXml()); + +echo "Done\n"; +?> +--EXPECTF-- +Fatal error: Cannot use object of type stdClass as array in %s on line %d |