php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79783 Segfault in php_str_replace_common
Submitted: 2020-07-04 02:06 UTC Modified: 2020-07-06 07:33 UTC
From: changochen1 at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-04 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: changochen1 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-07-04 02:06 UTC] changochen1 at gmail dot com 
Description:
------------
In release build, it triggers an segfault:
---
MemorySanitizer:DEADLYSIGNAL
==160146==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000f8da84 bp 0x000000000000 sp 0x7ffe10b2de00 T160146)
==160146==The signal is caused by a READ memory access.
==160146==Hint: address points to the zero page.
    #0 0xf8da83 in php_str_replace_common /home/yongheng/php_clean/ext/standard/string.c:4379:3
    #1 0x1573b32 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/yongheng/php_clean/Zend/zend_vm_execute.h:1236:2
    #2 0x13ec04f in execute_ex /home/yongheng/php_clean/Zend/zend_vm_execute.h:51852:7
    #3 0x13ec844 in zend_execute /home/yongheng/php_clean/Zend/zend_vm_execute.h:56146:2
    #4 0x1337c58 in zend_execute_scripts /home/yongheng/php_clean/Zend/zend.c:1667:4
    #5 0x10c1cd7 in php_execute_script /home/yongheng/php_clean/main/main.c:2579:14
    #6 0x171abf1 in do_cli /home/yongheng/php_clean/sapi/cli/php_cli.c:958:5
    #7 0x1716fcf in main /home/yongheng/php_clean/sapi/cli/php_cli.c:1357:18
    #8 0x7f78981f4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x440309 in _start (/home/yongheng/php_clean/asan/sapi/cli/php+0x440309)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV /home/yongheng/php_clean/ext/standard/string.c:4379:3 in php_str_replace_common
==160146==ABORTING
---

In debug build, it triggers an assertion:
---
/home/yongheng/php_clean/ext/standard/string.c:4379: void php_str_replace_common(zend_execute_data *, zval *, int): Assertion `(zval_get_type(&(*(zcount))) == 10)' failed.
---

Test script:
---------------
<?
str_replace ( array () , 1.500000 , array () , DEFINED ( 678.000000 ) ) ;

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-05 08:41 UTC] maxsem dot wiki at gmail dot com 
The following pull request has been associated:

Patch Name: Fix bug #79783: segfault in str_replace()
On GitHub:  https://github.com/php/php-src/pull/5811
Patch:      https://github.com/php/php-src/pull/5811.patch
 [2020-07-06 07:33 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-07-06 07:33 UTC] cmb@php.net 
Crashes as of PHP 7.4.0; doesn't trigger notice ("only variables
should be passed by reference") as of PHP 7.0.0:
<https://3v4l.org/b1psI>.
 [2020-07-07 07:57 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=971e5c5186a2a2339b0dbad4f2a057a9deed5aa2
Log: Fixed bug #79783
 [2020-07-07 07:57 UTC] nikic@php.net
-Status: Verified +Status: Closed
 [2020-12-04 22:11 UTC] danack@php.net 
Related To: Bug #80486
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Apr 03 08:01:30 2025 UTC