From: Antony Dovgal <tony2001@php.net>
Date: Sun, 6 Aug 2006 17:41:51 +0000 (+0000)
Subject: MFH: fix #38347 (Segmentation fault when using foreach with an unknown/empty SimpleXM... 
X-Git-Tag: php-5.2.0RC2~95
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=07b5c8fe2a5f3a3714641c543a9d9e12799ac1bb;p=php

MFH: fix #38347 (Segmentation fault when using foreach with an unknown/empty SimpleXMLElement)
---

diff --git a/NEWS b/NEWS
index 7b1e47709e..37b69e5dcf 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,8 @@ PHP                                                                        NEWS
 - Fixed phpinfo() cutoff of variables at \0. (Ilia)
 - Fixed a bug in the filter extension that prevented magic_quotes_gpc from
   being applied when RAW filter is used. (Ilia)
+- Fixed bug #38347 (Segmentation fault when using foreach with an unknown/empty 
+  SimpleXMLElement). (Tony)
 - Fixed bug #38322 (reading past array in sscanf() leads to arbitary code 
   execution). (Tony)
 - Fixed bug #38303 (spl_autoload_register() supress all errors silently).
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
index 7326d57a3c..80b6697236 100644
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@@ -966,8 +966,8 @@ int php_libxml_decrement_doc_ref(php_libxml_node_object *object TSRMLS_DC) {
 				efree(object->document->doc_props);
 			}
 			efree(object->document);
+			object->document = NULL;
 		}
-		object->document = NULL;
 	}
 
 	return ret_refcount;
@@ -1025,6 +1025,8 @@ void php_libxml_node_decrement_resource(php_libxml_node_object *object TSRMLS_DC
 				obj_node->_private = NULL;
 			}
 		}
+	}
+	if (object != NULL && object->document != NULL) {
 		/* Safe to call as if the resource were freed then doc pointer is NULL */
 		php_libxml_decrement_doc_ref(object TSRMLS_CC);
 	}
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index 22757412ca..7a3a335deb 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -195,6 +195,9 @@ static xmlNodePtr sxe_get_element_by_name(php_sxe_object *sxe, xmlNodePtr node,
 
 	if (sxe->iter.type == SXE_ITER_ELEMENT) {
 		orgnode = sxe_find_element_by_name(sxe, node, sxe->iter.name TSRMLS_CC);
+		if (!orgnode) {
+			return NULL;
+		}
 		node = orgnode->children;
 	}
 
diff --git a/ext/simplexml/tests/bug38347.phpt b/ext/simplexml/tests/bug38347.phpt
new file mode 100644
index 0000000000..c25fccea24
--- /dev/null
+++ b/ext/simplexml/tests/bug38347.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #38347 (Segmentation fault when using foreach with an unknown/empty SimpleXMLElement)
+--SKIPIF--
+<?php if (!extension_loaded("simplexml")) print "skip"; ?>
+--FILE--
+<?php
+
+function iterate($xml)
+{
+    print_r($xml);
+    foreach ($xml->item as $item) {
+        echo "This code will crash!";
+    }
+}
+
+$xmlstr = "<xml><item>Item 1</item><item>Item 2</item></xml>";
+$xml = simplexml_load_string($xmlstr);
+iterate($xml->unknown);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+SimpleXMLElement Object
+(
+)
+
+Warning: iterate(): Node no longer exists in %s on line %d
+Done