php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80096 Segmentation fault with named arguments in nested call
Submitted: 2020-09-12 11:17 UTC Modified: 2020-09-14 13:49 UTC
From: thekid@php.net Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-09-12 (Git) OS: Ubuntu / WSL
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: thekid@php.net
New email:
PHP Version: OS:

 

 [2020-09-12 11:17 UTC] thekid@php.net
Description:
------------
Passing a function invoked with named arguments as an argument to a function results in PHP crashing with a segmentation fault.

Test script:
---------------
thekid@Surface:~/bin/php$ ./sapi/cli/php -r 'function p($arg) { echo $arg, "\n"; } p(htmlentities("The < character is encoded as &lt;", do
uble_encode: false));'
Segmentation fault

thekid@Surface:~/bin/php$ ./sapi/cli/php -v
PHP 8.0.0-dev (cli) (built: Sep 12 2020 04:33:25) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies

Expected result:
----------------
The &lt; character is encoded as &lt;

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-09-12 11:19 UTC] thekid@php.net
Program received signal SIGSEGV, Segmentation fault.
0x00005555558e6d3a in ZEND_SEND_VAR_SPEC_VAR_UNUSED_HANDLER () at /home/thekid/bin/php/Zend/zend_vm_execute.h:28375
28375                           ZVAL_COPY_VALUE(arg, varptr);
(gdb) bt
#0  0x00005555558e6d3a in ZEND_SEND_VAR_SPEC_VAR_UNUSED_HANDLER () at /home/thekid/bin/php/Zend/zend_vm_execute.h:28375
#1  execute_ex (ex=0x0) at /home/thekid/bin/php/Zend/zend_vm_execute.h:58125
#2  0x00005555558ed7df in zend_execute (op_array=<optimized out>, return_value=0x7fffffffcc80)
    at /home/thekid/bin/php/Zend/zend_vm_execute.h:59928
#3  0x0000555555873600 in zend_eval_stringl (
    str=0x555556573fc0 "function p($arg) { echo $arg, \"\\n\"; } p(htmlentities(\"The < character is encoded as &lt;\", double_encode: false));", str_len=<optimized out>, retval_ptr=0x0, string_name=0x5555560a4615 "Command line code")
    at /home/thekid/bin/php/Zend/zend_execute_API.c:1195
#4  0x00005555558737c9 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>,
    string_name=<optimized out>, handle_exceptions=<optimized out>) at /home/thekid/bin/php/Zend/zend_execute_API.c:1236
#5  0x00005555559136f3 in do_cli (argc=3, argv=0x555556573f40) at /home/thekid/bin/php/sapi/cli/php_cli.c:979
#6  0x00005555556462db in main (argc=3, argv=0x555556573f40) at /home/thekid/bin/php/sapi/cli/php_cli.c:1336
 [2020-09-12 12:13 UTC] thekid@php.net
thekid@Surface:~/bin/php$ cat Zend/tests/bug80096.phpt
--TEST--
Bug #80096 (Segmentation fault with named arguments)
--FILE--
<?php
function println($arg) {
  echo $arg, "\n";
}

println(htmlentities("The < character is encoded as &lt;", double_encode: false));
?>
--EXPECT--
The &lt; character is encoded as &lt;
 [2020-09-12 13:14 UTC] thekid@php.net
This does not occur if instead of htmlentities, a userland function is used:

thekid@Surface:~/bin/php$ ./sapi/cli/php -r 'function html($string, $flags= 2, $double= true) { return htmlentities($string, $flags, null, $double); } function p($arg) { echo $arg, "\n"; } p(html("The < character is encoded as &lt;", double: false));'
The &lt; character is encoded as &lt;
 [2020-09-14 13:42 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-09-14 13:49 UTC] nikic@php.net
-Summary: Segmentation fault with named arguments +Summary: Segmentation fault with named arguments in nested call
 [2020-09-14 13:50 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=57a4a2c5a8ddd7e2f1214d5b05c270992e19451e
Log: Fixed bug #80096
 [2020-09-14 13:50 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 05:01:30 2024 UTC