Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

preg_replace_callback_array segmentation fault #10968

Closed
voidptr127 opened this issue Mar 29, 2023 · 0 comments
Closed

preg_replace_callback_array segmentation fault #10968

voidptr127 opened this issue Mar 29, 2023 · 0 comments
Assignees
@iluuu1994
Labels
Bug Status: Needs Triage

Comments

@voidptr127
Copy link

Description

The following code:

<?php
$a = [];
$a = preg_replace_callback_array($a,$a,$b,$b)
?>

Resulted in this output:

Warning: Undefined variable $b in Standard input code on line 3

Deprecated: preg_replace_callback_array(): Passing null to parameter #3 ($limit) of type int is deprecated in Standard input code on line 3
Segmentation fault (core dumped)

But I expected something like this output instead (I am not sure about the null values. At the very least I would not expect a segmentation fault.):

[rocky@fuzz php-src]$ cat <<'EOF' | ~/php-src/sapi/cli/php
<?php
$a = []; 
$a = preg_replace_callback_array($a,$a,null,null)
?>
EOF

Fatal error: Uncaught Error: preg_replace_callback_array(): Argument #4 ($count) cannot be passed by reference in Standard input code:3
Stack trace:
#0 {main}
  thrown in Standard input code on line 3

How to compile:

./buildconf --force
./configure --disable-all --enable-debug-assertions --enable-option-checking=fatal --without-pcre-jit --disable-cgi --with-pic
make -j$(nproc)

PHP Version

php-8.2.4RC1

Operating System

Rocky Linux release 9.1 (Blue Onyx)
@iluuu1994 iluuu1994 self-assigned this Mar 29, 2023
iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Mar 29, 2023
@iluuu1994
Fix incorrect zval type_flags in ZVAL_ARR macro for immutable arrays
c711835 
So far, the ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even
if the hash table was immutable. If a constant array is passed to
preg_replace_callback_array() it would be returned with incorrect type_flags,
causing the engine to do ref-counting on the constant array.

Fixes phpGH-10968
iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Mar 29, 2023
@iluuu1994
Fix incorrect zval type_flags in preg_replace_callback_array() for im…
07047e4 
…mutable arrays

The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the
hash table is immutable. Since in preg_replace_callback_array() we can return
the passed array directly, and that passed array can be immutable, we can copy
the array to circumvent the problem.

Fixes phpGH-10968
iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Mar 29, 2023
@iluuu1994
Fix incorrect zval type_flags in preg_replace_callback_array() for im…
90fae56 
…mutable arrays

The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the
hash table is immutable. Since in preg_replace_callback_array() we can return
the passed array directly, and that passed array can be immutable, we need to
reset the type_flags to keep the VM from performing ref-counting on the array.

Fixes phpGH-10968
@iluuu1994 iluuu1994 mentioned this issue Mar 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iluuu1994 iluuu1994

Labels
Bug Status: Needs Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iluuu1994 @voidptr127 and others