php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74164 PHP hangs when an invalid value is dynamically passed to typehinted by-ref arg.
Submitted: 2017-02-25 02:28 UTC Modified: -
From: shiranai7 at hotmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.1.2 OS: Windows, Linux
Private report: No CVE-ID:
 [2017-02-25 02:28 UTC] shiranai7 at hotmail dot com
Description:
------------
Dynamically passing an invalid value to a typehinted function argument which is also passed by reference while a custom exception-throwing error handler is active will cause PHP to hang.

Interesting observations:

- doesn't happen in PHP versions prior to 7.1.0
- removing the namespace prevents the bug from happening
- the error handler must throw an exception for the hang to occur
- the call must be dynamic or a fatal error is produced instead
- the kind of typehint doesn't seem to matter (it happens with array, a class, a scalar typehint etc.)

Test script:
---------------
<?php

namespace Foo;

set_error_handler(function () {
    throw new \Exception();
});

call_user_func(function (array &$ref) {}, 'not_an_array_variable');


Expected result:
----------------
Fatal error: Uncaught Exception in script.php on line 6

Exception:  in script.php on line 6

Call Stack:
    0.0010     412712   1. {main}() script.php:0
    0.0010     413352   2. call_user_func:{script.php:9}() script.php:9
    0.0010     416144   3. Foo\{closure}() script.php:9


Actual result:
--------------
The script doesn't terminate. PHP hangs indefinitely.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-25 04:01 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=36fcc4cb5d92dabc8c8f6f0587c81093bcac878c
Log: Fixed bug #74164 (PHP hangs when an invalid value is dynamically passed to typehinted by-ref arg)
 [2017-02-25 04:01 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Jun 28 19:01:44 2017 UTC