From fbb006199321f4266ac43a30706b674846566433 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 15 Nov 2024 21:38:27 +0100
Subject: [PATCH] Fix GH-16808: Segmentation fault in
 RecursiveIteratorIterator->current() with a xml element input

When the current data is invalid, NULL must be returned. At least that's
how the check in SPL works and how other extensions do this as well.
If we don't do this, an UNDEF value gets propagated to a return value
(misprinted as null); leading to issues.

Closes GH-16825.
---
 NEWS                             |  4 ++++
 ext/simplexml/simplexml.c        |  6 +++++-
 ext/simplexml/tests/gh16808.phpt | 12 ++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/simplexml/tests/gh16808.phpt

diff --git a/NEWS b/NEWS
index 62c1e3eeeeb..ee2e4949920 100644
--- a/NEWS
+++ b/NEWS
@@ -37,6 +37,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
     (nielsdos, Hans Krentel)
 
+- SimpleXML:
+  . Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator
+    ->current() with a xml element input). (nielsdos)
+
 21 Nov 2024, PHP 8.2.26
 
 - Cli:
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index 21cd5cdb4c7..7e1dcf9eb2a 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -2539,7 +2539,11 @@ static zval *php_sxe_iterator_current_data(zend_object_iterator *iter) /* {{{ */
 {
 	php_sxe_iterator *iterator = (php_sxe_iterator *)iter;
 
-	return &iterator->sxe->iter.data;
+	zval *data = &iterator->sxe->iter.data;
+	if (Z_ISUNDEF_P(data)) {
+		return NULL;
+	}
+	return data;
 }
 /* }}} */
 
diff --git a/ext/simplexml/tests/gh16808.phpt b/ext/simplexml/tests/gh16808.phpt
new file mode 100644
index 00000000000..be0bc59fb65
--- /dev/null
+++ b/ext/simplexml/tests/gh16808.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-16808 (Segmentation fault in RecursiveIteratorIterator->current() with a xml element input)
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$sxe = new SimpleXMLElement("<root />");
+$test = new RecursiveIteratorIterator($sxe);
+var_dump($test->current());
+?>
+--EXPECT--
+NULL