Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash

nielsdos · nielsdos · commit abf4c116b18a · 2023-12-17T11:47:11.000+01:00
Closes GH-12945.
diff --git a/NEWS b/NEWS
@@ -23,6 +23,10 @@ PHP                                                                        NEWS
 - PHPDBG:
   . Fixed bug GH-12962 (Double free of init_file in phpdbg_prompt.c). (nielsdos)
 
+- SimpleXML:
+  . Fix getting the address of an uninitialized property of a SimpleXMLElement
+    resulting in a crash. (nielsdos)
+
 21 Dec 2023, PHP 8.2.14
 
 - Core:
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -636,6 +636,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
 
 	sxe = php_sxe_fetch_object(object);
 	GET_NODE(sxe, node);
+	if (UNEXPECTED(!node)) {
+		return &EG(error_zval);
+	}
 	name = ZSTR_VAL(zname);
 	node = sxe_get_element_by_name(sxe, node, &name, &type);
 	if (node) {
diff --git a/ext/simplexml/tests/get_prop_address_not_initialized.phpt b/ext/simplexml/tests/get_prop_address_not_initialized.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Getting the address of an uninitialized property of a SimpleXMLElement
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+
+$rc = new ReflectionClass('SimpleXMLElement');
+$sxe = $rc->newInstanceWithoutConstructor();
+$sxe->a['b'] = 'b';
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: SimpleXMLElement is not properly initialized in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
