Member access within null pointer in ext/spl/spl_observer.c

### Description

The following code:

```php
<?php
function varToString($var) {
try {
} catch (Exception $e) {
}
$vars = [$var1, $var2, $var3];
foreach ($vars as $i => $v1) {
foreach ($vars as $j => $v2) {
if ($i < $j) {
try {
} catch (Exception $e) {
$result["serialize_{$i}"] = "Error: " . $e->getMessage();
$result["serialize_{$j}"] = "Error: " . $e->getMessage();
}
try {
$result["unserialize_{$i}"] = unserialize(serialize($v1));
$result["unserialize_{$j}"] = unserialize(serialize($v2));
} catch (Exception $e) {
$result["unserialize_{$i}"] = "Error: " . $e->getMessage();
$result["unserialize_{$j}"] = "Error: " . $e->getMessage();
$result["base64_encode_{$i}"] = base64_encode(varToString($v1));
$result["base64_encode_{$j}"] = base64_encode(varToString($v2));
} catch (Exception $e) {
$result["base64_encode_{$i}"] = "Error: " . $e->getMessage();
$result["base64_encode_{$j}"] = "Error: " . $e->getMessage();
}
try {
$result["base64_decode_{$i}"] = base64_decode(base64_encode(varToString($v1)));
$result["base64_decode_{$j}"] = base64_decode(base64_encode(varToString($v2)));
} catch (Exception $e) {
$result["base64_decode_{$i}"] = "Error: " . $e->getMessage();
$result["base64_decode_{$j}"] = "Error: " . $e->getMessage();
$result["md5_{$i}"] = md5(varToString($v1));
$result["md5_{$j}"] = md5(varToString($v2));
} catch (Exception $e) {
$result["md5_{$i}"] = "Error: " . $e->getMessage();
$result["md5_{$j}"] = "Error: " . $e->getMessage();
}
try {
$result["sha1_{$i}"] = sha1(varToString($v1));
$result["sha1_{$j}"] = sha1(varToString($v2));
} catch (Exception $e) {
$result["sha1_{$i}"] = "Error: " . $e->getMessage();
$result["sha1_{$j}"] = "Error: " . $e->getMessage();
$result["url_encode_{$i}"] = urlencode(varToString($v1));
$result["url_encode_{$j}"] = urlencode(varToString($v2));
} catch (Exception $e) {
$result["url_encode_{$i}"] = "Error: " . $e->getMessage();
$result["url_encode_{$j}"] = "Error: " . $e->getMessage();
}
try {
$result["url_decode_{$i}"] = urldecode(urlencode(varToString($v1)));
$result["url_decode_{$j}"] = urldecode(urlencode(varToString($v2)));
} catch (Exception $e) {
$result["url_decode_{$i}"] = "Error: " . $e->getMessage();
$result["url_decode_{$j}"] = "Error: " . $e->getMessage();
$result["html_encode_{$i}"] = htmlspecialchars(varToString($v1));
$result["html_encode_{$j}"] = htmlspecialchars(varToString($v2));
} catch (Exception $e) {
$result["html_encode_{$i}"] = "Error: " . $e->getMessage();
$result["html_encode_{$j}"] = "Error: " . $e->getMessage();
}
try {
$result["html_decode_{$i}"] = htmlspecialchars_decode(htmlspecialchars(varToString($v1)));
$result["html_decode_{$j}"] = htmlspecialchars_decode(htmlspecialchars(varToString($v2)));
} catch (Exception $e) {
$result["html_decode_{$i}"] = "Error: " . $e->getMessage();
$result["html_decode_{$j}"] = "Error: " . $e->getMessage();
$result["strlen_{$i}"] = strlen(varToString($v1));
$result["strlen_{$j}"] = strlen(varToString($v2));
} catch (Exception $e) {
$result["strlen_{$i}"] = "Error: " . $e->getMessage();
$result["strlen_{$j}"] = "Error: " . $e->getMessage();
}
try {
$result["trim_{$i}"] = trim(varToString($v1));
$result["trim_{$j}"] = trim(varToString($v2));
} catch (Exception $e) {
$result["trim_{$i}"] = "Error: " . $e->getMessage();
$result["trim_{$j}"] = "Error: " . $e->getMessage();
$result["strtoupper_{$i}"] = strtoupper(varToString($v1));
$result["strtoupper_{$j}"] = strtoupper(varToString($v2));
} catch (Exception $e) {
$result["strtoupper_{$i}"] = "Error: " . $e->getMessage();
$result["strtoupper_{$j}"] = "Error: " . $e->getMessage();
}
try {
$result["strtolower_{$i}"] = strtolower(varToString($v1));
$result["strtolower_{$j}"] = strtolower(varToString($v2));
} catch (Exception $e) {
$result["strtolower_{$i}"] = "Error: " . $e->getMessage();
$result["strtolower_{$j}"] = "Error: " . $e->getMessage();
$result["strrev_{$i}"] = strrev(varToString($v1));
} catch (Exception $e) {
$result["abs_{$i}"] = "Error: " . $e->getMessage();
$result["abs_{$j}"] = "Error: " . $e->getMessage();
$result["rand_{$i}_{$j}"] = rand(min($i, $j), max($i, $j));
} catch (Exception $e) {
$result["rand_{$i}_{$j}"] = "Error: " . $e->getMessage();
}
try {
if (is_callable($v2)) {
$result["function_call_{$j}"] = $v2();
}
} catch (Exception $e) {
$result["function_call_{$j}"] = "Error: " . $e->getMessage();
$safe_v1 = var_export(varToString($v1), true);
$safe_v2 = var_export(varToString($v2), true);
$code = '$result["eval_' . $i . '_' . $j . '"] = ' . $safe_v1 . ' . " " . ' . $safe_v2 . ';';
eval($code);
} catch (Exception $e) {
$result["eval_error_{$i}_{$j}"] = "Error: " . $e->getMessage();
}
}
}
}
return $result;
}
$b = new SplObjectStorage();
for ($i = 10000; $i > 0; $i--) {
$object = new StdClass();
$a[] = $object;
$b->attach($object);
}
$fiber = new Fiber(function (): void {
while (true) {
}
});
```

Resulted in this output:
```
/php-src/ext/spl/spl_observer.c:121:26: runtime error: member access within null pointer of type 'spl_SplObjectStorageElement' (aka 'struct _spl_SplObjectStorageElement')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/spl/spl_observer.c:121:26 in
```

To reproduce:
```
php -d "memory_limit=2M" ./test.php
```


### PHP Version

PHP 8.4.0-dev

### Operating System

ubuntu 22.04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Member access within null pointer in ext/spl/spl_observer.c #14639

Description

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Member access within null pointer in ext/spl/spl_observer.c #14639

Description

Description

PHP Version

Operating System

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions