PHP :: Bug #77793 :: Segmentation fault in extract() when overwriting reference with itself

Bug #77793	Segmentation fault in extract() when overwriting reference with itself
Submitted:	2019-03-25 16:10 UTC	Modified:	2019-03-25 16:32 UTC
From:	contact at joycebabu dot com	Assigned:	nikic (profile)
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	7.3.3	OS:	macOs Mojave 10.14.2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	contact at joycebabu dot com
New email:
PHP Version:		OS:

New Comment:

[2019-03-25 16:10 UTC] contact at joycebabu dot com

Description:
------------
The following test code causes PHP to exit with a segmentation fault.

Test script:
---------------
<?php
register_shutdown_function(function () {
        $hookInfo = [function () {}];
        $hooks[][] = [$hookInfo];
});

$options = [
    'sort' => []
];
$defaultOption = ['sort' => []];

$sort = &$options['sort'];
$sort['direction'] = 'asc';

$val = array_merge($defaultOption, $options);
extract($val);

print_r($val);


Expected result:
----------------
Array
(
    [sort] => Array
        (
            [direction] => asc
        )

)

Actual result:
--------------
Array
(
    [sort] => Array
        (
            [direction] => asc
        )

)
Segmentation fault: 11

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-25 16:14 UTC] contact at joycebabu dot com

As per the following online PHP interpreter, the issue is present in 7.3.x only.

https://3v4l.org/PSMRW

[2019-03-25 16:14 UTC] nikic@php.net

-Status: Open +Status: Verified

[2019-03-25 16:14 UTC] nikic@php.net

Confirm that this is faulting on 7.3 and working on 7.2.

[2019-03-25 16:22 UTC] nikic@php.net

-Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic

[2019-03-25 16:22 UTC] nikic@php.net

Slightly reduced test case:

<?php 
$str = 'foo';
$vars = ['var' => $str . 'bar'];
$var = &$vars['var'];
extract($vars);
var_dump($vars, $var);

The problem is that when we destroy the old value of the variable, we also happen to destroy the new value we're trying to assign...

[2019-03-25 16:32 UTC] nikic@php.net

-Summary: Segmentation fault +Summary: Segmentation fault in extract() when overwriting reference with itself

[2019-03-25 16:36 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e97577edde49e1f6e86219091b343f80b3b92e65
Log: Fixed bug #77793

[2019-03-25 16:36 UTC] nikic@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC