php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79982 stream_socket_client cause crash with call_user_func_array
Submitted: 2020-08-16 08:21 UTC Modified: 2020-08-16 08:50 UTC
From: 1126774947 at qq dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 8.0.0beta1 OS: ubuntu 16.04
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: 1126774947 at qq dot com
New email:
PHP Version: OS:

 

 [2020-08-16 08:21 UTC] 1126774947 at qq dot com
Description:
------------
stream_socket_client be called by call_user_func_array with wrong param and cause crash


Test script:
---------------
<?php
call_user_func_array("stream_socket_client",["aa",false,true]);

Actual result:
--------------
php > call_user_func_array("stream_socket_client",["aa",false,true]);
Warning: Parameter 2 to stream_socket_client() expected to be a reference, value given in php shell code on line 1
Warning: Parameter 3 to stream_socket_client() expected to be a reference, value given in php shell code on line 1
Segmentation fault (core dumped)
error info:php: /tmp/tmp/php-src/ext/standard/streamsfuncs.c:133: zif_stream_socket_client: Assertion(zval_get_type(&(*(zerrno))) == 10)' failed.`

backtrace

#0  0x00007ffff6a82428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54

#1  0x00007ffff6a8402a in __GI_abort () at abort.c:89

#2  0x00007ffff6a7abd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0xfb0378 "(zval_get_type(&(*(zerrno))) == 10)", file=file@entry=0xfb02a8 "/tmp/tmp/php-src/ext/standard/streamsfuncs.c", line=line@entry=133, function=function@entry=0xfb08d0 <__PRETTY_FUNCTION__.17877> "zif_stream_socket_client") at assert.c:92

#3  0x00007ffff6a7ac82 in __GI___assert_fail (assertion=0xfb0378 "(zval_get_type(&(*(zerrno))) == 10)", file=0xfb02a8 "/tmp/tmp/php-src/ext/standard/streamsfuncs.c", line=133, function=0xfb08d0 <__PRETTY_FUNCTION__.17877> "zif_stream_socket_client") at assert.c:101

#4  0x0000000000774f42 in zif_stream_socket_client (execute_data=0x7ffff3e15090, return_value=0x7fffffffa480) at /tmp/tmp/php-src/ext/standard/streamsfuncs.c:133

#5  0x00000000008af7f9 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /tmp/tmp/php-src/Zend/zend_vm_execute.h:1618

#6  0x0000000000914c65 in execute_ex (ex=0x7ffff3e15020) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:53824

#7  0x0000000000918d53 in zend_execute (op_array=0x7ffff3e03100, return_value=0x0) at /tmp/tmp/php-src/Zend/zend_vm_execute.h:57920

#8  0x000000000083be3c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/tmp/php-src/Zend/zend.c:1678

#9  0x000000000079cc72 in php_execute_script (primary_file=0x7fffffffca30) at /tmp/tmp/php-src/main/main.c:2621

#10 0x000000000092500a in php_cli_server_dispatch_script (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2077

#11 0x0000000000925819 in php_cli_server_dispatch (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2248

#12 0x00000000009261cc in php_cli_server_recv_event_read_request (server=0x141c320 <server>, client=0x156a5e0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2492

#13 0x00000000009265b1 in php_cli_server_do_event_for_each_fd_callback (_params=0x7fffffffcc90, fd=4, event=1) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2578

#14 0x0000000000922138 in php_cli_server_poller_iter_on_active (poller=0x141c328 <server+8>, opaque=0x7fffffffcc90, callback=0x92635b <php_cli_server_do_event_for_each_fd_callback>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:919

#15 0x0000000000926647 in php_cli_server_do_event_for_each_fd (server=0x141c320 <server>, rhandler=0x926064 <php_cli_server_recv_event_read_request>, whandler=0x926207 <php_cli_server_send_event>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2596

#16 0x00000000009266cf in php_cli_server_do_event_loop (server=0x141c320 <server>) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2606

#17 0x0000000000926a7b in do_cli_server (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli_server.c:2734

#18 0x000000000091ca7d in main (argc=3, argv=0x1437cd0) at /tmp/tmp/php-src/sapi/cli/php_cli.c:1362



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-16 08:50 UTC] requinix@php.net
-Status: Open +Status: Duplicate
 [2020-08-16 08:50 UTC] requinix@php.net
Probably a duplicate of bug #79979.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 05:01:29 2024 UTC