Skip to content

phpdbg: Fix off-by-one in phpdbg_safe_class_lookup() signal-safe class lookup#22593

Merged
TimWolla merged 2 commits into
php:PHP-8.4from
jorgsowa:fix-phpdbg-safe-class-lookup
Jul 4, 2026
Merged

phpdbg: Fix off-by-one in phpdbg_safe_class_lookup() signal-safe class lookup#22593
TimWolla merged 2 commits into
php:PHP-8.4from
jorgsowa:fix-phpdbg-safe-class-lookup

Conversation

@jorgsowa

@jorgsowa jorgsowa commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

lc_length was set to name_length + 1 (including the null terminator) in both branches, but zend_hash_str_find_ptr() requires an exact length match. Using zend_hash_str_find_ptr_lc() with the correct name_length fixes it.

@TimWolla

TimWolla commented Jul 4, 2026

Copy link
Copy Markdown
Member

removes the surface for off-by-one bug.

The title of the PR implies there is a bug. That sentence is much less clear; and the off-by-one isn't clearly described either.

It this an actual bug that should be fixed in PHP 8.4?

lc_length was set to name_length + 1, one past the actual lowercased
string length, so zend_hash_str_find_ptr() (which expects a strlen-style
length) never matched an existing class entry. This made class lookups
during phpdbg's signal-handler interruption path always fail silently.

Replaced the manual emalloc/tolower/efree dance with
zend_hash_str_find_ptr_lc(), which performs the lowercase copy and
lookup in one call and removes the surface for this class of bug.
@jorgsowa jorgsowa changed the base branch from master to PHP-8.4 July 4, 2026 15:27
@jorgsowa jorgsowa force-pushed the fix-phpdbg-safe-class-lookup branch from 8756924 to 146fc94 Compare July 4, 2026 15:30
@jorgsowa

jorgsowa commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

I did the wrong order of cherry-picking. I'm sorry for the additional reviews. I cannot remove any reviewer now.

@TimWolla, I modified the description to reflect the bug. I checked the branch 8.4, and it's also buggy, so I pointed to 8.4.

@TimWolla

TimWolla commented Jul 4, 2026

Copy link
Copy Markdown
Member

I modified the description to reflect the bug. I checked the branch 8.4, and it's also buggy, so I pointed to 8.4.

Thanks, this makes sense. Is this a user-facing bug - i.e. does this require a NEWS entry? Do you have a suggested NEWS entry text?

@jorgsowa

jorgsowa commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

Thanks. I updated the NEWS section. Unfortunately, it's not possible to create a phpt regression test case for this kind of bug.

@TimWolla TimWolla merged commit 21bf7f6 into php:PHP-8.4 Jul 4, 2026
1 check passed
TimWolla added a commit that referenced this pull request Jul 4, 2026
* PHP-8.4:
  phpdbg: Fix off-by-one in phpdbg_safe_class_lookup() signal-safe class lookup (#22593)
TimWolla added a commit that referenced this pull request Jul 4, 2026
* PHP-8.5:
  phpdbg: Fix off-by-one in phpdbg_safe_class_lookup() signal-safe class lookup (#22593)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants