php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69767 Default parameter value with wrong type segfaults
Submitted: 2015-06-07 12:42 UTC Modified: 2015-06-07 14:19 UTC
From: cmb@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-06-07 (Git) OS: Ubuntu 14.04, Windows 7
Private report: No CVE-ID:
 [2015-06-07 12:42 UTC] cmb@php.net
Description:
------------
When the default value of a function parameter doesn't match the
given type, a segfault occurs. This happens with current master,
and apparently, the bug has been introduced during May, cf.
<http://3v4l.org/2qT7B>.


Test script:
---------------
<?php
function foo(string $bar = '') {}
?>


Expected result:
----------------
Default value for parameters with a string type hint can only be string or NULL in %s on line %d


Actual result:
--------------
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x000000000053ab18 in xbuf_format_converter (
    xbuf=xbuf@entry=0x7fffffffa0c0, is_char=is_char@entry=1 '\001', 
    fmt=0x794f1d "s type hint can only be %s or NULL", 
    ap=0x7fffffffa210) at /home/cmb/php/php-src/main/spprintf.c:609
#2  0x000000000053b95a in vspprintf (pbuf=pbuf@entry=0x7fffffffa128, 
    max_len=1024, format=<optimized out>, ap=<optimized out>)
    at /home/cmb/php/php-src/main/spprintf.c:848
#3  0x0000000000534ffd in php_error_cb (type=64, 
    error_filename=0x7ffff7055248 "/home/cmb/php/php-src/test.php", 
    error_lineno=3, format=<optimized out>, args=<optimized out>)
    at /home/cmb/php/php-src/main/main.c:965
#4  0x0000000000593979 in zend_error (type=type@entry=64, 
    format=format@entry=0x794ef8 "Default value for parameters with a %s type hint can only be %s or NULL")
    at /home/cmb/php/php-src/Zend/zend.c:1180
#5  0x000000000057b4f5 in zend_compile_params (
    ast=ast@entry=0x7ffff707a0c8, 
    return_type_ast=return_type_ast@entry=0x0)
    at /home/cmb/php/php-src/Zend/zend_compile.c:4376
#6  0x00000000005825d0 in zend_compile_func_decl (
    result=result@entry=0x0, ast=ast@entry=0x7ffff707a128)
    at /home/cmb/php/php-src/Zend/zend_compile.c:4685
#7  0x00000000005809ba in zend_compile_stmt (
    ast=ast@entry=0x7ffff707a128)
    at /home/cmb/php/php-src/Zend/zend_compile.c:6831
#8  0x000000000058290a in zend_compile_top_stmt (ast=0x7ffff707a128)
    at /home/cmb/php/php-src/Zend/zend_compile.c:6753
#9  0x000000000058294f in zend_compile_top_stmt (ast=0x7ffff707a018)
    at /home/cmb/php/php-src/Zend/zend_compile.c:6748
#10 0x000000000055f50d in compile_file (file_handle=<optimized out>, 
    type=<optimized out>) at Zend/zend_language_scanner.l:607
#11 0x0000000000593dd6 in zend_execute_scripts (type=type@entry=8, 
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /home/cmb/php/php-src/Zend/zend.c:1383
#12 0x0000000000537d30 in php_execute_script (
    primary_file=primary_file@entry=0x7fffffffcb20)
    at /home/cmb/php/php-src/main/main.c:2475
#13 0x0000000000619f8c in do_cli (argc=2, argv=0xa1e610)
    at /home/cmb/php/php-src/sapi/cli/php_cli.c:967
#14 0x000000000041e850 in main (argc=2, argv=0xa1e610)
    at /home/cmb/php/php-src/sapi/cli/php_cli.c:1334


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-07 14:19 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2015-06-07 14:19 UTC] cmb@php.net
The issue is in zend_compile_params(), where
arg_info->class_name->val is accessed even though
arg_info->class_name is NULL.[1]

I'll make a PR with a respective fix.

[1] <https://github.com/php/php-src/commit/e22ceb6e829ebb0f54a89d85d35f4aec3e9b5712#diff-3a8139128d4026ce0cb0c86beba4e6b9R4356>
 [2015-06-08 03:50 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cea801cce24b843764b1b7725a6a885f9519c8ba
Log: Fixed bug #69767 (Default parameter value with wrong type segfaults)
 [2015-06-08 03:50 UTC] laruence@php.net
-Status: Analyzed +Status: Closed
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cea801cce24b843764b1b7725a6a885f9519c8ba
Log: Fixed bug #69767 (Default parameter value with wrong type segfaults)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC