Member access within null pointer in extension spl #14290

YuanchengJiang · 2024-05-21T14:00:34Z

Description

The following code:

<?php
class foo extends ArrayIterator {
    public function __construct( ) {
        parent::__construct(array(
            'test'=>'test1'));
    }
}
$h = new foo;
$i = new RegexIterator($h, '/^test(.*)/', RegexIterator::REPLACE);
foreach ($i as $name=>$value) {
    var_dump($name, $value);
}
?>

Resulted in this output:

/php-src/ext/spl/spl_iterators.c:1904:5: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/spl/spl_iterators.c:1904:5

To reproduce:

/php-src/sapi/cli/php  -n -c '/php-src/tmp-php.ini'   -d "opcache.cache_id=worker31" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/php-src/modules/" -d "zend_extension=/php-src/modules/opcache.so" -d "session.auto_start=0" -d "pcre.jit=0" -d "pcre.recursion_limit=2" -d "arg_separator.input==" -d "internal_encoding=UTF-8" -d "ary2[1]=a" -d "opcache.jit_buffer_size=1M" -f ./test.php

PHP Version

latest commit

Operating System

ubuntu 22.04

The text was updated successfully, but these errors were encountered:

php_pcre_replace_impl() can fail and return NULL. We should take that error condition into account. Because other failures return false, we return false here as well. At first, I also thought there was a potential memory leak in the error check of replacement_str, but found that the error condition can never trigger, so replace that with an assertion.

* PHP-8.2: Fix GH-14290: Member access within null pointer in extension spl

* PHP-8.3: Fix GH-14290: Member access within null pointer in extension spl

YuanchengJiang added Bug Status: Needs Triage labels May 21, 2024

nielsdos added Extension: spl Status: Verified and removed Status: Needs Triage labels May 21, 2024

nielsdos linked a pull request May 21, 2024 that will close this issue

Fix GH-14290: Member access within null pointer in extension spl #14292

Closed

nielsdos closed this as completed in b3a56bd May 21, 2024

nielsdos added a commit that referenced this issue May 21, 2024

Merge branch 'PHP-8.2' into PHP-8.3

88af091

* PHP-8.2: Fix GH-14290: Member access within null pointer in extension spl

nielsdos added a commit that referenced this issue May 21, 2024

Merge branch 'PHP-8.3'

e16bc4b

* PHP-8.3: Fix GH-14290: Member access within null pointer in extension spl

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Member access within null pointer in extension spl #14290

Member access within null pointer in extension spl #14290

YuanchengJiang commented May 21, 2024

Member access within null pointer in extension spl #14290

Member access within null pointer in extension spl #14290

Comments

YuanchengJiang commented May 21, 2024

Description

PHP Version

Operating System