Cloning a faked SplFileInfo object may segfault

[b1rdex]

Description

We have some code that worked without any issues on PHP 8.0, but it's failing with a segmentation fault on 8.1.
I'm not sure whether it's a PHPUnit or PHP issue... So please see the code. Mock creation triggers the problem.

Test repo: b1rdex/php-8.1-segfault

I've opened sebastianbergmann/phpunit#4844 for PHPUnit, but the issue was closed with a piece of advice to report it to PHP. So please see the test repo for the details about the issue.

PHP Version

8.1.1

Operating System

Docker official image

[7snovic]

the same on my local machine.

I am using the ondrej/php build

$ php8.1 vendor/bin/phpunit -vvv Test.php
PHPUnit 9.5.10 by Sebastian Bergmann and contributors.

Runtime:       PHP 8.1.0

Segmentation fault (core dumped)

verified on 8.2 too

sapi/cli/php vendor/bin/phpunit -vvv Test.php
PHPUnit 9.5.10 by Sebastian Bergmann and contributors.

Runtime:       PHP 8.2.0-dev

Segmentation fault (core dumped)

[cmb69]

Relevant part of the stack backtrace:

php8_debug.dll!spl_filesystem_object_clone(_zend_object * old_object) Line 360 (c:\php-sdk\phpdev\vs16\x64\php-src-8.0\ext\spl\spl_directory.c:360)
php8_debug.dll!ZEND_CLONE_SPEC_CV_HANDLER(_zend_execute_data * execute_data) Line 38008 (c:\php-sdk\phpdev\vs16\x64\php-src-8.0\Zend\zend_vm_execute.h:38008)
php8_debug.dll!execute_ex(_zend_execute_data * ex) Line 54509 (c:\php-sdk\phpdev\vs16\x64\php-src-8.0\Zend\zend_vm_execute.h:54509)
php8_debug.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 59051 (c:\php-sdk\phpdev\vs16\x64\php-src-8.0\Zend\zend_vm_execute.h:59051)
php8_debug.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1681 (c:\php-sdk\phpdev\vs16\x64\php-src-8.0\Zend\zend.c:1681)
php8_debug.dll!php_execute_script(_zend_file_handle * primary_file) Line 2539 (c:\php-sdk\phpdev\vs16\x64\php-src-8.0\main\main.c:2539)

The problem is at

php-src/ext/spl/spl_directory.c

Line 388 in 713dcb2

intern->path = zend_string_copy(source->path);

source->path is NULL, and zend_string_copy() can't handle that. Prior to 13e4ce3, there were no zend_strings but rather char*s so no problem with PHP 8.0.

[cmb69]

The following patch might do:

 ext/spl/spl_directory.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index 1161858468..0ba11f4800 100644
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -385,8 +385,12 @@ static zend_object *spl_filesystem_object_clone(zend_object *old_object)
 
 	switch (source->type) {
 		case SPL_FS_INFO:
-			intern->path = zend_string_copy(source->path);
-			intern->file_name = zend_string_copy(source->file_name);
+			if (source->path != NULL) {
+				intern->path = zend_string_copy(source->path);
+			}
+			if (source->file_name != NULL) {
+				intern->file_name = zend_string_copy(source->file_name);
+			}
 			break;
 		case SPL_FS_DIR:
 			spl_filesystem_dir_open(intern, source->path);