#35785 [Asn]: SimpleXML causes memory read error zend engine

Mon, 26 Dec 2005 04:20:22 -0800 

 ID:               35785
 Updated by:       [EMAIL PROTECTED]
 Reported By:      TheFFF at gmail dot com
 Status:           Assigned
 Bug Type:         Scripting Engine problem
 Operating System: *
 PHP Version:      5CVS-2005-12-26 (cvs)
-Assigned To:      dmitry
+Assigned To:      helly
 New Comment:

>From dmitry:

The problem is:

$xml->bla-props[0]->name = 0;

For nonexisting element "props" simplexml returns NULL with refcount ==
0;
Then ZE trying to assign dimension into it;
It converts NULL into array;
inserts uninitialized zval into it (for index 0);
stores zval** for next opcode
Then it destroys array, because refcount is 0 (this 0 comes from
simplexml)

Next opcode crashes because stored zval** is destroyed together with
array.


This bug must be fixed in ext/simplexml.
It must care about "type" argument of read_property() callback and
implement
implicit element/attribute creation or prohibit it.
ZE cannot handle such assignment automatic. (It uses get_zval_ptr_ptr()
for
that, but simplexml doesn't define it).


So this goes back to me


Previous Comments:
------------------------------------------------------------------------

[2005-12-26 12:06:36] [EMAIL PROTECTED]

I see my fix was reverted.

------------------------------------------------------------------------

[2005-12-26 06:26:21] judas dot iscariote at gmail dot com

Notice: Undefined index:  name in bug35785.php on line 6

Warning: Attempt to assign property of non-object in bug35785.php on
line 6
<?xml version="1.0"?>
<root/>

no error messages in the apache log, not crashing.

------------------------------------------------------------------------

[2005-12-25 23:05:52] [EMAIL PROTECTED]

Still reproducible with the latest 5.1 CVS.
Backtrace is the same.

------------------------------------------------------------------------

[2005-12-23 22:52:04] TheFFF at gmail dot com

you are more then welcome an its amazing how fast this got fixed guys
behind php YOU ROCK!

------------------------------------------------------------------------

[2005-12-23 21:38:50] [EMAIL PROTECTED]

Actually this was a zend engine problem.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/35785

-- 
Edit this bug report at http://bugs.php.net/?id=35785&edit=1

Reply via email to