PHP :: Bug #77793 :: Segmentation fault in extract() when overwriting reference with itself

Bug #77793	Segmentation fault in extract() when overwriting reference with itself
Submitted:	2019-03-25 16:10 UTC	Modified:	2019-03-25 16:32 UTC
From:	contact at joycebabu dot com	Assigned:	nikic (profile)
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	7.3.3	OS:	macOs Mojave 10.14.2
Private report:	No	CVE-ID:	None

View Developer Edit

[2019-03-25 16:10 UTC] contact at joycebabu dot com

Description:
------------
The following test code causes PHP to exit with a segmentation fault.

Test script:
---------------
<?php
register_shutdown_function(function () {
        $hookInfo = [function () {}];
        $hooks[][] = [$hookInfo];
});

$options = [
    'sort' => []
];
$defaultOption = ['sort' => []];

$sort = &$options['sort'];
$sort['direction'] = 'asc';

$val = array_merge($defaultOption, $options);
extract($val);

print_r($val);


Expected result:
----------------
Array
(
    [sort] => Array
        (
            [direction] => asc
        )

)

Actual result:
--------------
Array
(
    [sort] => Array
        (
            [direction] => asc
        )

)
Segmentation fault: 11

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-25 16:14 UTC] contact at joycebabu dot com

As per the following online PHP interpreter, the issue is present in 7.3.x only.

https://3v4l.org/PSMRW

[2019-03-25 16:14 UTC] nikic@php.net

-Status: Open +Status: Verified

[2019-03-25 16:14 UTC] nikic@php.net

Confirm that this is faulting on 7.3 and working on 7.2.

[2019-03-25 16:22 UTC] nikic@php.net

-Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic

[2019-03-25 16:22 UTC] nikic@php.net

Slightly reduced test case:

<?php 
$str = 'foo';
$vars = ['var' => $str . 'bar'];
$var = &$vars['var'];
extract($vars);
var_dump($vars, $var);

The problem is that when we destroy the old value of the variable, we also happen to destroy the new value we're trying to assign...

[2019-03-25 16:32 UTC] nikic@php.net

-Summary: Segmentation fault +Summary: Segmentation fault in extract() when overwriting reference with itself

[2019-03-25 16:36 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e97577edde49e1f6e86219091b343f80b3b92e65
Log: Fixed bug #77793

[2019-03-25 16:36 UTC] nikic@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC