php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77793 Segmentation fault in extract() when overwriting reference with itself
Submitted: 2019-03-25 16:10 UTC Modified: 2019-03-25 16:32 UTC
From: contact at joycebabu dot com Assigned: nikic (profile)
Status: Closed Package: Unknown/Other Function
PHP Version: 7.3.3 OS: macOs Mojave 10.14.2
Private report: No CVE-ID: None
 [2019-03-25 16:10 UTC] contact at joycebabu dot com
Description:
------------
The following test code causes PHP to exit with a segmentation fault.

Test script:
---------------
<?php
register_shutdown_function(function () {
        $hookInfo = [function () {}];
        $hooks[][] = [$hookInfo];
});

$options = [
    'sort' => []
];
$defaultOption = ['sort' => []];

$sort = &$options['sort'];
$sort['direction'] = 'asc';

$val = array_merge($defaultOption, $options);
extract($val);

print_r($val);


Expected result:
----------------
Array
(
    [sort] => Array
        (
            [direction] => asc
        )

)

Actual result:
--------------
Array
(
    [sort] => Array
        (
            [direction] => asc
        )

)
Segmentation fault: 11

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-25 16:14 UTC] contact at joycebabu dot com
As per the following online PHP interpreter, the issue is present in 7.3.x only.

https://3v4l.org/PSMRW
 [2019-03-25 16:14 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-03-25 16:14 UTC] nikic@php.net
Confirm that this is faulting on 7.3 and working on 7.2.
 [2019-03-25 16:22 UTC] nikic@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic
 [2019-03-25 16:22 UTC] nikic@php.net
Slightly reduced test case:

<?php 
$str = 'foo';
$vars = ['var' => $str . 'bar'];
$var = &$vars['var'];
extract($vars);
var_dump($vars, $var);

The problem is that when we destroy the old value of the variable, we also happen to destroy the new value we're trying to assign...
 [2019-03-25 16:32 UTC] nikic@php.net
-Summary: Segmentation fault +Summary: Segmentation fault in extract() when overwriting reference with itself
 [2019-03-25 16:36 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e97577edde49e1f6e86219091b343f80b3b92e65
Log: Fixed bug #77793
 [2019-03-25 16:36 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC