php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69767 Default parameter value with wrong type segfaults
Submitted: 2015-06-07 12:42 UTC Modified: 2015-06-07 14:19 UTC
From: cmb@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-06-07 (Git) OS: Ubuntu 14.04, Windows 7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2015-06-07 12:42 UTC] cmb@php.net
Description:
------------
When the default value of a function parameter doesn't match the
given type, a segfault occurs. This happens with current master,
and apparently, the bug has been introduced during May, cf.
<http://3v4l.org/2qT7B>.


Test script:
---------------
<?php
function foo(string $bar = '') {}
?>


Expected result:
----------------
Default value for parameters with a string type hint can only be string or NULL in %s on line %d


Actual result:
--------------
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x000000000053ab18 in xbuf_format_converter (
    xbuf=xbuf@entry=0x7fffffffa0c0, is_char=is_char@entry=1 '\001', 
    fmt=0x794f1d "s type hint can only be %s or NULL", 
    ap=0x7fffffffa210) at /home/cmb/php/php-src/main/spprintf.c:609
#2  0x000000000053b95a in vspprintf (pbuf=pbuf@entry=0x7fffffffa128, 
    max_len=1024, format=<optimized out>, ap=<optimized out>)
    at /home/cmb/php/php-src/main/spprintf.c:848
#3  0x0000000000534ffd in php_error_cb (type=64, 
    error_filename=0x7ffff7055248 "/home/cmb/php/php-src/test.php", 
    error_lineno=3, format=<optimized out>, args=<optimized out>)
    at /home/cmb/php/php-src/main/main.c:965
#4  0x0000000000593979 in zend_error (type=type@entry=64, 
    format=format@entry=0x794ef8 "Default value for parameters with a %s type hint can only be %s or NULL")
    at /home/cmb/php/php-src/Zend/zend.c:1180
#5  0x000000000057b4f5 in zend_compile_params (
    ast=ast@entry=0x7ffff707a0c8, 
    return_type_ast=return_type_ast@entry=0x0)
    at /home/cmb/php/php-src/Zend/zend_compile.c:4376
#6  0x00000000005825d0 in zend_compile_func_decl (
    result=result@entry=0x0, ast=ast@entry=0x7ffff707a128)
    at /home/cmb/php/php-src/Zend/zend_compile.c:4685
#7  0x00000000005809ba in zend_compile_stmt (
    ast=ast@entry=0x7ffff707a128)
    at /home/cmb/php/php-src/Zend/zend_compile.c:6831
#8  0x000000000058290a in zend_compile_top_stmt (ast=0x7ffff707a128)
    at /home/cmb/php/php-src/Zend/zend_compile.c:6753
#9  0x000000000058294f in zend_compile_top_stmt (ast=0x7ffff707a018)
    at /home/cmb/php/php-src/Zend/zend_compile.c:6748
#10 0x000000000055f50d in compile_file (file_handle=<optimized out>, 
    type=<optimized out>) at Zend/zend_language_scanner.l:607
#11 0x0000000000593dd6 in zend_execute_scripts (type=type@entry=8, 
    retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /home/cmb/php/php-src/Zend/zend.c:1383
#12 0x0000000000537d30 in php_execute_script (
    primary_file=primary_file@entry=0x7fffffffcb20)
    at /home/cmb/php/php-src/main/main.c:2475
#13 0x0000000000619f8c in do_cli (argc=2, argv=0xa1e610)
    at /home/cmb/php/php-src/sapi/cli/php_cli.c:967
#14 0x000000000041e850 in main (argc=2, argv=0xa1e610)
    at /home/cmb/php/php-src/sapi/cli/php_cli.c:1334


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-07 14:19 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2015-06-07 14:19 UTC] cmb@php.net
The issue is in zend_compile_params(), where
arg_info->class_name->val is accessed even though
arg_info->class_name is NULL.[1]

I'll make a PR with a respective fix.

[1] <https://github.com/php/php-src/commit/e22ceb6e829ebb0f54a89d85d35f4aec3e9b5712#diff-3a8139128d4026ce0cb0c86beba4e6b9R4356>
 [2015-06-08 03:50 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cea801cce24b843764b1b7725a6a885f9519c8ba
Log: Fixed bug #69767 (Default parameter value with wrong type segfaults)
 [2015-06-08 03:50 UTC] laruence@php.net
-Status: Analyzed +Status: Closed
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cea801cce24b843764b1b7725a6a885f9519c8ba
Log: Fixed bug #69767 (Default parameter value with wrong type segfaults)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 05:01:27 2024 UTC