From e7544f28b80abb9ba1be696d5c1ec73bf63e311c Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Tue, 20 Feb 2007 13:22:41 +0000
Subject: [PATCH] MFH: fix #38406 (crash when assigning objects to SimpleXML
 attributes)

---
 NEWS                      |  1 +
 ext/simplexml/simplexml.c | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/NEWS b/NEWS
index 007cf5a622..12e0cce8b0 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,7 @@ PHP                                                                        NEWS
 - Fixed bug #40109 (iptcembed fails on non-jfif jpegs). (Tony)
 - Fixed bug #39836 (SplObjectStorage empty after unserialize). (Marcus)
 - Fixed bug #39322 (proc_terminate() destroys process resource). (Nuno)
+- Fixed bug #38406 (crash when assigning objects to SimpleXML attributes). (Tony)
 - Fixed bug #37799 (ftp_ssl_connect() falls back to non-ssl connection). (Nuno)
 - Fixed bug #36496 (SSL support in imap_open() not working on Windows). (Edin)
 - Fixed bug #34794 (proc_close() hangs when used with two processes).
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index 603d1c5f8a..a37b858a53 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -56,6 +56,7 @@ static php_sxe_object* php_sxe_object_new(zend_class_entry *ce TSRMLS_DC);
 static zend_object_value php_sxe_register_object(php_sxe_object * TSRMLS_DC);
 static xmlNodePtr php_sxe_reset_iterator(php_sxe_object *sxe, int use_data TSRMLS_DC);
 static xmlNodePtr php_sxe_iterator_fetch(php_sxe_object *sxe, xmlNodePtr node, int use_data TSRMLS_DC);
+static zval *sxe_get_value(zval *z TSRMLS_DC);
 
 /* {{{ _node_as_zval()
  */
@@ -427,6 +428,7 @@ static void sxe_prop_dim_write(zval *object, zval *member, zval *value, zend_boo
 	int             is_attr = 0;
 	int				nodendx = 0;
 	int             test = 0;
+	int				new_value = 0;
 	long            cnt;
 	zval            tmp_zv, trim_zv, value_copy;
 
@@ -504,8 +506,17 @@ static void sxe_prop_dim_write(zval *object, zval *member, zval *value, zend_boo
 				break;
 			case IS_STRING:
 				break;
+			case IS_OBJECT:
+				if (Z_OBJCE_P(value) == sxe_class_entry) {
+					value = sxe_get_value(value TSRMLS_CC);
+					INIT_PZVAL(value);
+					new_value = 1;
+					break;
+				}
+				/* break is missing intentionally */
 			default:
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "It is not yet possible to assign complex types to %s", attribs ? "attributes" : "properties");
+				return;
 		}
 	}
 
@@ -594,6 +605,9 @@ next_iter:
 	if (value && value == &value_copy) {
 		zval_dtor(value);
 	}
+	if (new_value) {
+		zval_ptr_dtor(&value);
+	}
 }
 /* }}} */
 
-- 
2.50.1